I have created a RSA key (Asymmetric Key) in Google KMS. while trying to use it in GKE using Application-layer Secrets. the asymmetric keys are not getting loaded.
enter image description here
Google Cloud Kubernetes requires AES encryption. This is a symmetric encryption algorithm.
Symmetric-key algorithm
Encryption keys have a purpose. Common types are ASYMMETRIC_DECRYPT and ENCRYPT_DECRYPT.
KMS: Key purposes and algorithms
RSA keypairs provide asymmetric encryption which is not supported.
Public-key cryptography
Encrypt secrets at the application layer
Typically RSA keys are used to exchange information (secrets, random numbers, etc) that is used to generate a symmetric encryption key. Encryption using RSA keys is expensive in CPU time, encryption using symmetric keys is very fast in comparison.
Related
My use case is to store digital certificate (issued by some certificate authority) in AWS Cloud HSM. I know we can store private key that signs the certificate. But is it possible to store full digital certificate itself? Can someone please share the steps?
Unfortunately you cannot store digital certificate in CloudHSM device
Here are things what you can achieve with it
When you use an HSM from AWS CloudHSM, you can perform a variety of cryptographic tasks:
Generate, store, import, export, and manage cryptographic keys, including symmetric keys and asymmetric key pairs.
Use symmetric and asymmetric algorithms to encrypt and decrypt data.
Use cryptographic hash functions to compute message digests and hash-based message authentication codes (HMACs).
Cryptographically sign data (including code signing) and verify signatures.
Generate cryptographically secure random data.
Docs & fAQ for more reference
Can we import PGP encryption key in Google could KMS and use that key decrypt the files in google storage ?
In the documentation, you can find the list of supported key type. PGP private keys aren't supported. You can store it in secret manager (and, behind the scene, KMS will be used to encrypt your secret).
Or you can encrypt it manually. Generate an encryption key with Cloud KMS, encrypt the PGP private key, and store the encryption somewhere (in your app, in GCS, in Git repo,...). The only thing that you have to do when you want to use it is to perform the opposite process and decipher the PGP private key with Cloud KMS.
I was wondering if I can use AWS KMS with such a use case. I want KMS to decrypt data sent over my an on-prem system (so no KMS). I was hoping that KMS can store the secret key. The on-prem system will use the public key to encrypt the data. Is this a feasible way?
From what I read so far KMS uses symmetric encryption? I can do what I want by using KMS to encrypt/decrypt my secret key, but the downside there is my app will have the secret key in plain text when using it.
AWS KMS is for symmetric encryption only. There is no way to use KMS with asymmetric cryptography.
If you need this kind of functionality, you can use CloudHSM instead of KMS.
AWS KMS supports the following asymmetric key types - RSA 2048, RSA 3072, RSA 4096, ECC NIST P-256, ECC NIST P-384, ECC NIST-521, and ECC SECG P-256k1.
I'm looking for a way to use aws-kms for RSA signing of arbitrary byte array. I was wondering if there is an API for that in aws-kms, or some building blocks that can be used together to build that.
Thanks!
KMS only generated symmetric data key and KMS key material is also symmetric. I believe it is not possible using KMS. Consider using CloudHSM.
I am developing a project which requires video file encryption. I am familiar with AWS S3 so I have decided to use the same. I found the link Reference Link
Which says we need to provide our encryption key to to encrypt the data and AWS takes care of the data writing and we can access the file again by passing the same encryption key.
I want to know from where should I generate the encryption key?
You're looking at the "customer-provided encryption keys" section. In that case, you provide the encryption key.
If you don't want to, or know how to, manage your own keys, you should use S3-managed encryption keys or (even better) KMS-managed encryption keys.
For even more safety, client-side encryption is nice.