9_Encrypting Data at Rest
Encryption at Rest with AWS KMS
Importance of Data at Rest Encryption
- Protecting data at rest ensures confidentiality and integrity.
- Provides an extra layer of security in case of system access compromise.
- Encryption is a key method for safeguarding data at rest.
Basic Definition of Encryption
- Encryption involves using a cipher (code) to convert readable data into unreadable data.
- The cipher includes algorithms for both encryption and decryption.
- A key, composed of numbers and letters, is used by the algorithm to encrypt and decrypt data.
Symmetric vs. Asymmetric Encryption
Symmetric Encryption
- Uses the same key for both encryption and decryption.
- Generally faster and more efficient for large data volumes.
- Widely used and considered secure.
- Suitable when speed, cost, and low overhead are priorities.
- Appropriate when data remains within the organization's network boundaries.
Asymmetric Encryption
- Employs a public key and a private key (a key pair).
- Data encrypted with the public key can only be decrypted by the associated private key.
- Generally more secure than symmetric encryption but slower.
- Choose when sharing data externally or when regulatory/nonrepudiation requirements exist.
Envelope Encryption
- A practice of encrypting the key used to encrypt data, rather than an encryption method itself.
- Analogy: Securing valuables in a safe, then securing the safe's key in a safety deposit box.
- Involves multiple layers of keys, each protecting the previous one.
- Steps:
- Encrypt the item with a data key.
- Wrap the data key with another key (key encryption key).
- Store the encrypted key with the encrypted item.
Client-Side Encryption (CSE) vs. Server-Side Encryption (SSE)
Client-Side Encryption (CSE)
- Application encrypts data before sending it to AWS.
- User creates and manages their own keys.
- Keys and encryption methods are known only to the user.
Server-Side Encryption (SSE)
- AWS encrypts data on your behalf before writing it to disk and decrypts it upon access request.
- Keys can be managed by AWS.
AWS Key Management Service (AWS KMS)
- Managed service for creating and controlling keys used for data encryption.
- Key features:
- Automatic key rotation on a schedule.
- Ability to disable or delete keys.
- Option to import your own keys.
- Support for both symmetric and asymmetric encryption.
- Cryptographic operations:
- API calls that use AWS KMS keys to protect data (e.g., encrypt, decrypt, generate data key, generate data key pair).
- Integration with other AWS services (symmetric encryption only).
AWS KMS Integration with Amazon S3 (SSE-KMS)
- Amazon S3 and AWS KMS perform envelope encryption.
- Upload process:
- Amazon S3 requests a data key and an encrypted copy of the key from AWS KMS.
- AWS KMS generates a plaintext data key and encrypts it under the specified KMS key.
- Both the plaintext data key and encrypted data key are returned to Amazon S3.
- Amazon S3 encrypts the object using the plaintext data key, stores the encrypted object, and deletes the plaintext data key.
- The encrypted data key is stored in the object's metadata.
- Retrieval process:
- Amazon S3 sends the encrypted data key to AWS KMS for decryption.
- AWS KMS decrypts the encrypted data key using the same KMS key and returns the plaintext data key to Amazon S3.
- Amazon S3 decrypts the encrypted object using the plaintext data key and removes the plaintext data key from memory.
Key Takeaways
- Encrypting data at rest enhances data security by making it harder for attackers to compromise data.
- Symmetric encryption uses a single key for encryption and decryption.
- Asymmetric encryption utilizes a key pair (public and private keys).
- Envelope encryption involves encrypting data with a data key, then encrypting the data key itself under another key.
- CSE encrypts data locally before sending to AWS, while SSE encrypts data at its destination.
- AWS KMS keys are the core resource in AWS KMS, used for encrypting, decrypting, and re-encrypting data.