I had the fortune to listen to Ken Beer and Ryan Treat’s talk on keys and certificates. Here are my notes:
- Key hierarchy: A technique to improve manageability of a larger number of keys and security by encrypt keys with another set of keys.
- Envelop encryption: Data keys for applications are encrypted by a set of master keys. This allows applications to encrypt a large amount of data without sending everything to the cloud to encrypt the data, only encrypt the data keys with master keys.
- client-side encryption: encrypt data before sending to server (or cloud provider)
- server-side encryption: encrypt data on the server-side (or on the cloud) after received the data
- AWS KMS
- It is integrated with 19 AWS services to support server-side encryption
- Allows administrators to define how the keys can be used (by defining policies)
- Has logging of key use activities (CloudTrail)
- Allows bring your own keys
- $1/Key version/Month
- $0.03/10,000 API requests
- AWS CloudHSM
- For customers that want further physical security of the server machine. If it breaks, it’s on you. You control access to your keys and the app that use them.
- Introduced 2 years ago
- In China, customers should use client-side encryption
- For database, data are encrypted before written to disk, with a single key. For table or row level encryption, AWS not yet handle these use cases. Use DB specific features by the DB vendors.
- When rotate keys, AWS keeps all older versions of keys. This allows you to not re-encrypt everything, which costs money.
- Delete key API requires at least 7 days waiting period.
- AWS does not store data key. For non-S3 uses, if you loose data key, you also loose the data. For S3, the key is stored in the metadata.
- Certificates are used for trust, not security
- The trend is to use shorter validity period to reduce risks.
- Obtaining a signed CA can take 4.5 hours.
- Wildcard certificates: high risk as it can open to attacks to all servers on your domain if one of the servers is compromised.
- With micro services design approach, it increases the need to secure more connections.
- With more frequent deployments (DevOps), certificate valid period can be shorter
- Amazon Certificate Manager (Free) provides domain validation