Storing Data in Cloud
Key Management in Cloud
As I have mentioned in my previous article, key management in cloud is one of the biggest concerns floating around. It is because if the key ownership is lost, then the whole underlying encryption strategy is of no use. For more details on this, please refer to my published article here. http://s3.amazonaws.com/bucket/key http://bucket.s3.amazonaws.com/key
Encryption Capabilities of AWS S3
As the data moves from client on-premise to AWS S3, it should be protected both when in transit and when it is stored in S3 buckets. While a strategy around protecting data in transit can be easily built around deploying a SSL scheme, protecting data at rest involves the following two deployment options:
Client Side Encryption
In client side encryption, all encryption/decryption happens exclusively in applications using a process called “envelope encryption”. In the envelope encryption process, encryption keys and unencrypted data are never sent to AWS, so it’s very important that your client should safely manage their encryption keys. If your client loses their encryption keys, they won’t be able to unencrypt their data, and they can’t recover their encryption keys from AWS, since AWS doesn’t know anything about them. Below is the process of Encryption and decryption in AWS S3 Client Side Encryption.
Encryption
Generate a one-time use envelope symmetric key using AWS S3 encryption client. Data is encrypted using this envelope key. The whole envelope is encrypted using a master public key or symmetric key. Store this encrypted envelope key with the encrypted file. Store a description of the master key alongside the envelope key to uniquely identify the key used to encrypt the envelope key.
Decryption
Retrieve the encrypted envelope key you stored with the encrypted file. Retrieve the description of the original master key. If the description of the master key on hand does not match the description of the original master key, use the unique description to fetch the original master symmetric key or private key. Decrypt the envelope key using the master key. Decrypt the file data using the envelope key.
Advantages
If client master key is compromised, they have the option of just re-encrypting the stored envelope symmetric keys, instead of re-encrypting all the data in their account.
Disadvantages
Despite all the good things above, the only drawback on client side encryption is that the symmetric key will be stored at AWS side thus client will not have full control over the keys.
Server Side Encryption
Features of Server Side Encryption:
AWS S3 accepts encryption keys as parameters only over https connection. Any key provided over insecure http is discarded. All the key management lifecycle activities have to be taken care by the client only. If the client looses the encryption key, the client loses the object stored in AWS S3.
When using AWS S3 server side encryption with customer keys, provide encryption key information using the following headers:
Advantages
Client has the complete ownership of keys. Thus the chances of data theft from CSP side are eliminated.
Disadvantages
Since client has the complete ownership of keys, if the client loses the key, the client will lose the data as well. AWS will not be responsible for recovering the data.
