What: Key management — Encryption is not hard, key management is

AWS KMS is also known as Key Management Service (KMS). This is important because its core Service is Key Management, which helps enterprises and developers manage their keys easily and securely. Many students who are new to KMS often don’t know exactly what KMS does, largely because they don’t pay attention to the word “Key Management”.

So our first question “What” has been answered. KMS is a service that manages keys, not some super Super Magic encryption method.

I hope the reader of this article will realize that encryption is simple, but the hard part is managing the key itself.

Why: KMS ensures the security of your key

Then come to the second question: Why? Why do I need to give my key to you to manage, I can not save myself? In fact, you can manage it yourself, just as you can build your own computer room, if you know the best practices and are willing to take the time to maintain them yourself. Services are called services because They deal with those heavy lifting so that you can spend more time and energy on more valuable things.

So what does AWS KMS do for users?

  1. Fully hosted: you don’t need extra servers, you don’t need extra maintenance staff.
  2. Simplify the encryption process: You don’t need to worry about the tedious details of the encryption process, just call the relevant interface.
  3. Security audit function: it is not enough to ensure security. You also need to know who has access to the key, who used the key when, and who deleted the key when. This is important for large enterprises and companies that provide platform services. These auditing capabilities, which can be very fine-grained, have been fully built into the AWS ecosystem through the AWS Cloud Trail Service. (It’s not enough to be secure, you have to demonstrate to somebody, whether that’s internal audit, your boss, Or maybe your customers.)
  4. Make sure your keys are secure: You don’t have to struggle to find a way to keep your keys somewhere confidential and off the grid. In fact, AWS KMS keys (Matser keys, to be exact) are kept entirely in memory, and no one (including AWS itself) has access to the original contents of the keys, as explained below.
  5. Key Rotate process: AWS periodically or manually refreshes key content, which is a best practice for key management.

How: It’s complicated but they do it for you

Now that you know why AWS KMS is being used, and this is the focus of this article, take a look at How: KMS internals work.

First look at symmetric encryption and asymmetric encryption: in brief, symmetric encryption refers to encryption, decryption with the same key; Asymmetric encryption refers to encryption and decryption using a pair of keys: a public key and a private key. You can use the public key to encrypt and the private key to decrypt, or vice versa. HTTPS, for example, uses asymmetric encryption.

Let’s take a look at how KMS stores your Key internally: Let’s say we have a Key for encrypting Data, called Data Key, and encrypt Data to get Encrypted Data. The process is simple.

But what about the Data Key? If an attacker gets the Data Key, doesn’t that mean the Data has been cracked? The correct choice is to encrypt the Data Key with some kind of Key (called Matser Key here) (called Wrapping) to get Encrypted Data Key. Then we save the Encrypted Data and Encrypted Data Key together, as shown below:

How to encrypt the Master Key? I’m sure you’ve noticed, it’s a lot like a Russian nesting doll. (Cross it out)

AWS KMS actually does this. They have a layer upon layer of encryption keys (KMS Key Hierarchy), and when it comes to the final Key, it is a plaintext, but:

  1. It is completely stored in memory and will never be stored in physical media.
  2. It will never be transmitted over the public network.

So much so that even AWS employees don’t have access to the original content.

What about the other Data keys? The Data that I really encrypt is the Data Key. What if the Data Key is leaked? This is an important question. So how does KMS solve this?

KMS’s Data Key is dynamically generated in memory. After it is used to encrypt Data, it is deleted in memory. Only the Encrypted Data Key remains.

Peter M.O ‘donnell, AWS Solution Architect, re:Invent 2019

KMS is a very serious service, built by very serious people for very serious customers .

To sum up:

  1. Data is Encrypted with Data Key and Encrypted Data is obtained.
  2. Encrypted Data and Encrypted Data Key are kept together.
  3. It doesn’t matter if you get Encrypted Data and Encrypted Data Key, you have to get the Matser Key that encrypts the Encrypted Data Key, layer by layer, You need to know the final Master Key at the Top Level.
  4. KMS is fundamentally designed to ensure that no one can obtain the Top Level Master Key.
  5. So your data is safe.

This article introduces what AWS KMS is, why it is used, and how IT protects your keys to protect your data. In the next article, we will look at how to apply KMS to your system from a practical perspective.

Related reading:

  1. amazonaws-china.com/kms/
  2. AWS re:Invent 2019: Using AWS KMS for data protection, access control, and audit
  3. AWS Security Basics – AWS KMS