Encryption in AWS; the Key, the Secret
So you read our recent post about encrypting your EBS storage. You have encrypted all your data in transit, and at rest, job done, right? Who owns your encryption keys? Who owns your data secrets?
What is Encryption?
This isn’t a daft question. I mean, we all know that encryption is a way to ensure only the right people can read our sensitive information, but how does encryption achieve that?
Imagine you’re a spy, and you need to get a coded message to someone. It is of critical importance that message is not intercepted, or understood by anyone else ever. Well you could agree a code with the recipient ahead of time, and they would know how to read your message when they receive it. Let’s say you swap the first and last letters of each word, as a simple example.
The agreement you made before sending the encrypted message is the encryption key. Anyone who has that key would be able to decrypt the message, so the key itself becomes the secret.
This analogy actually goes further than that. Imagine you came across a letter on the street full of juicy information, but you had to do a bit of lateral thinking to read it, because some letters were jumbled up. That letter can still be thought of as having been encrypted, but the method they used, or encryption key, was easy to work out. That is weak encryption.
In computing, the ways of scrambling messages are obviously much more complicated than the above example, but it’s the same principal really.
Encryption Keys
Provider-managed
When we smugly tick the box for encryption on this or that service in our cloud management console, that’s the job done isn’t it? But if we think back to our agreements about how we’re scrambling data from above, we don’t set that up here. So what’s going on?
Cloud platforms are very clever, and they look after us. When you create a new account with a cloud provider, they set up a load of encryption keys for you. Those keys are then encrypted with a master key, and linked to your account. When you need to encrypt some data, the keys assigned to your account are broken out, and assuming you have permission to use them, they’re used to scramble and unscramble your data. It happens as if by magic.
There’s nothing wrong with encryption using this method. Cloud platforms go through rigorous security vetting processes to ensure their methods for dealing with data are as robust as possible, but it does rely on trust. You must trust your cloud provider to do what they said they would do, and to keep your keys safe. That isn’t always appropriate, and you might want to manage your encryption keys yourself.
Self-managed
AWS gives you tools to manage encryption keys yourself, to control access to the keys, and even to provide the key itself. The service is called Key Management Service, or KMS.
Like most of AWS’s services, it’s super-simple to use too. All you need to do is make a request via an API or command-line to the KMS service, tell it which key to use, what you want to encrypt. KMS does the rest as if by magic. The same for decrypting information.
The entity (this can be a human, or more usually a machine) making the request never needs to know the key. Just define a key in the KMS console when you set the service up, and tell it who can use it.
Imagine all the times you might want to control who can access your encrypted data;
- Someone leaves your organisation
- You cease trading with an entity
- You have information for multiple clients in one system
Governance
Another great reason to use KMS is when your have strict governance requirements. For example, if you are dealing with health or financial information and need to be FIPS compliant, KMS can help you deliver this.
As part of KMS, you have access to use a Hardware Security Module, or HSM. A HSM is a physical device which can cost hundreds of thousands of pounds, and can produce mathematically strong encryption keys. Traditionally a HSM would only be found in government departments and huge financial institutions because of their expense. This is another example of the cloud bringing these technologies within reach for everyone.
If you’d like your keys generated by the HSM, no worries. Like everything else, you only pay for what you use. And yet, your encryption is just as strong as the worlds biggest banks.
If AWS wanted to decrypt your data, they couldn’t. Only you have the key. Doesn’t that give you a warm, fuzzy feeling inside. Just me? Okay.
Sliding Scale of Encryption
For most people, just having their data encrypted is enough. We’re not trying to hide state secrets, we just don’t want to give hackers an easy time. I’m certainly not telling anyone not to trust Amazon’s built in encryption methods, and I don’t want to complicate anyone’s environment. But what I do want to do it show the scale of encryption security, and help you to decide what’s best for your use case.