Securing Encryption Keys in the Cloud: Part 1

23rd February 2019 by Thando Toto

For security reasons or regulatory compliance, encryption is one of the core data security controls for handling sensitive information. Simply put, encryption scrambles data into unreadable content. There are three components to it; the data to encrypt, the encryption algorithm and the encryption key. The key is used by the algorithm in the process of encrypting and decrypting the data.

It is essential that the encryption key is kept safe from cyber attacks and that there are proper controls to its access and use. That is where a key management system comes in. It is special software that is deployed and run on highly secure servers. It serves the purpose of managing the creation, storage and protection of encryption keys as well as deliver them when they are needed to encrypt or decrypt data.

Key management is challenging, therefore, some organisations may accept that it’s not their core competency and fear the risk of losing access to their data if they get it wrong. As organisations move into the cloud it will be important to look for the availability of a key management infrastructure from the cloud provider’s offering and how it’s key management helps them meet their contractual obligations or regulatory compliance.

To help organisations meet these requirements, Amazon Web Services (AWS) offers AWS Key Management Service (KMS). This service centralises the control of your keys and integrates with many of AWS services that make use of encryption keys.

Encryption keys used by KMS:

Master key — This key is created and used by KMS to encrypt and decrypt data keys. You have the ability to reference it by an ID or Alias. In AWS this master key is referred to as Customer Master Key (CMK). There are three types of master keys:
- Customer managed CMK: You have full control over these CMKs, therefore, you can configure policies and integrate with AWS CloudTrail logs to audit access to these keys.
- AWS managed CMK: These keys are created and managed on your behalf AWS services that integrate with KMS. Though you don’t have control over these keys, you can, however, audit their use through AWS CloudTrail logs.
- AWS owned CMK: You neither have control or any access that allows you to audit these keys. They are not in your AWS account and are for the use of AWS to protect your data.

Data Key — A data key Is generated using the CMK. Data keys are used to do the actual encryption of your data. Since AWS does not manage or track this key, you have to encrypt it (using the master key) and store it along with the data you’ve encrypted with it.

This process of encrypting data with the data key then encrypting the data key with another key (data key or master key) is called Envelope Encryption. At the minimum, it’s a 2-tired hierarchy but you could use a multi-layered hierarchy of encryption keys representing a record in a database table, an application, a server, region key, etc.

You can set key policies to have control on:
- Who can create or use a master key
- Who can Enable/disable master keys
- Who can audit the use of master keys
- Which applications have the permission to encrypt or decrypt
- Giving access to external AWS account to encrypt/decrypt

Your plaintext keys are not accessible to anyone including AWS staff. This service use FIPS 140–2 level 2 compliant hardware security modules to protect your keys. This means the hardware must is tamper-evident. This requires that there be evidence should a crypto module be attacked. FIPS compliance proves use of a validated crypto module and approved crypto algorithms, therefore, is a statement to quality security.

Thando Toto – CCSK | AWS Cloud Solutions Architect - Associate