My use case is to store digital certificate (issued by some certificate authority) in AWS Cloud HSM. I know we can store private key that signs the certificate. But is it possible to store full digital certificate itself? Can someone please share the steps?
Unfortunately you cannot store digital certificate in CloudHSM device
Here are things what you can achieve with it
When you use an HSM from AWS CloudHSM, you can perform a variety of cryptographic tasks:
Generate, store, import, export, and manage cryptographic keys, including symmetric keys and asymmetric key pairs.
Use symmetric and asymmetric algorithms to encrypt and decrypt data.
Use cryptographic hash functions to compute message digests and hash-based message authentication codes (HMACs).
Cryptographically sign data (including code signing) and verify signatures.
Generate cryptographically secure random data.
Docs & fAQ for more reference
Related
Are all 3 versions of AWS Server Side Encryption (SSE-S3, SSE-KMS, SSE-C) considered envelope encryption? In other words all 3 use 2 keys (one key to encrypt the data and is stored with the data and another key which is used to encrypted the data key)? Looking through the AWS docs I can't seem to conclude that all 3 versions of SSE are always envelope encryption.
No, only the first two versions of AWS SSE (SSE-S3 and SSE-KMS) use two keys. The third version, SSE-C, uses a single key.
SSE-C does not consider envelope encryption. SSE-C is a server-side encryption service offered by Amazon Web Services (AWS) that provides encryption of data stored in Amazon S3 buckets. It uses the Advanced Encryption Standard (AES) algorithm in Galois Counter Mode (GCM) to encrypt data.
I have created a RSA key (Asymmetric Key) in Google KMS. while trying to use it in GKE using Application-layer Secrets. the asymmetric keys are not getting loaded.
enter image description here
Google Cloud Kubernetes requires AES encryption. This is a symmetric encryption algorithm.
Symmetric-key algorithm
Encryption keys have a purpose. Common types are ASYMMETRIC_DECRYPT and ENCRYPT_DECRYPT.
KMS: Key purposes and algorithms
RSA keypairs provide asymmetric encryption which is not supported.
Public-key cryptography
Encrypt secrets at the application layer
Typically RSA keys are used to exchange information (secrets, random numbers, etc) that is used to generate a symmetric encryption key. Encryption using RSA keys is expensive in CPU time, encryption using symmetric keys is very fast in comparison.
I am expecting very high traffic on one of my services, and I would like to add encryption for a new feature. I know KMS makes an API call each encrypt/decrypt call, but is it possible to use KMS for key management and cache the keys in memory to encrypt/decrypt locally without additional API calls?
The KMS key never leaves its hardware. That's it.
By default the KMS is intended for the envelope encryption. There is a data encryption key and KMS is used to encrypt the data key.
You can call the KMS to generate a random data key along the its encrypted value and then use the data-key to encrypt the data itself.
If you are encrypting for the same system (data are encrypted for the same target ), you may reuse the same data key and use a unique IV to encrypt multiple messages.
Edit: I'd suggest using the AWS Encryption SDK a bit helping the developers to do it properly
I am wondering if you please help me out with the following question.
What are the differences between the KMS and the secret manager in GCP? Thank you in advance.
https://cloud.google.com/secret-manager/docs/
HB
Cloud KMS encrypts data and returns the encrypted ciphertext. Cloud KMS does not store the secret, only the keys to encrypt/decrypt.
Secret Manager actually stores the secret material. Secret Manager also keeps a history (versions) of secret material. All data in Secret Manager is encrypted. By default, it is encrypted with a Google-managed key. You can actually use Cloud KMS to encrypt Secret Manager secrets (this is called "CMEK"), in which case the user controls the keys.
Cloud KMS is designed as a cryptographic oracle system: nobody, including yourself, can get the keys out: this means they're locked inside the system and you don't have to worry in practice about them leaking. The tradeoff is that the only thing you can do with those keys is encrypt, decrypt, and other cryptographic operations: useful for protecting data, or even for encrypting secrets, but if you have a database password or something else which you want to keep secret, but then actually be able to use or send elsewhere, you have to store the encrypted version, then use Cloud KMS to decrypt it.
When you do have configuration info like a database password, where your software actually needs the secret, not cryptographic operations, then Secret Manager is designed for that use case. The tradeoff is that if you get a copy of the secret out, it's harder to keep it from leaking and be certain it's controlled.
Thanks for using GCP!
I am developing a project which requires video file encryption. I am familiar with AWS S3 so I have decided to use the same. I found the link Reference Link
Which says we need to provide our encryption key to to encrypt the data and AWS takes care of the data writing and we can access the file again by passing the same encryption key.
I want to know from where should I generate the encryption key?
You're looking at the "customer-provided encryption keys" section. In that case, you provide the encryption key.
If you don't want to, or know how to, manage your own keys, you should use S3-managed encryption keys or (even better) KMS-managed encryption keys.
For even more safety, client-side encryption is nice.