How exactly does encryption key rotation work? - amazon-web-services

How exactly does encryption key rotation work? I understand it's a very good practice to continuously rotate your encryption keys for security purposes, but rotating a key would require too much work.
Case:
Let's just say I have a database storing 30GB of data, and we're using an internal key to encrypt data at rest, and I plan to rotate my keys every month.
Questions:
Does that mean all my data will be decrypted by the old key and re-encrypted by the new one every month?
The whole encryption-decryption would take a lot of time and compute resources.
If my DB ( or any encrypted dataset ) scales tomorrow, does that mean the same process would duplicate when my key rotates? This does not look like a scalable solution.
Other Details:
I've also seen AWS KMS rotates it's keys if we've selected the rotation option. How does AWS manage to rotate it's keys and all encrypted data for all the underlying services?

You need to familiarize yourself with Envelope Encryption. Each time you want to encrypt data in AWS, you first generate a unique data-key. You then encrypt your data with this key. This key is not the key that is rotated!
Then you take this key, and you encrypt it with a key from KMS. Now if you want to decrypt this data, you must first get the decrypted data key, and to decrypt this data key, you will need the KMS key.
Now if you want to rotate the key, you don't need to re-encrypt all the data, instead you need to decrypt the data key using your key to be rotated from KMS, and then get a new key, and re-encrypt the unencrypted data key. That way you don't need to re-encrypt all the data.

Here are two important links that can help you understand envelop encryption and key rotation in AWS.
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
I have quoted some important concepts from the above links:
Envelop encryption:
When you encrypt your data, your data is protected, but you have to protect your encryption key. One strategy is to encrypt it. Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key.
Customer Master Keys
CMKs are created in AWS KMS. Symmetric CMKs and the private keys of asymmetric CMKs never leave AWS KMS unencrypted. This strategy differs from data keys. AWS KMS does not store, manage, or track your data keys. You must use them outside of AWS KMS.
Data Keys
Data keys are encryption keys that you can use to encrypt data, including large amounts of data and other data encryption keys. You can use AWS KMS customer master keys (CMKs) to generate, encrypt, and decrypt data keys. However, AWS KMS does not store, manage, or track your data keys, or perform cryptographic operations with data keys. You must use and manage data keys outside of AWS KMS.
Key rotation
When you enable automatic key rotation for a customer managed CMK, AWS KMS generates new cryptographic material for the CMK every year. AWS KMS also saves the CMK's older cryptographic material in perpetuity so it can be used to decrypt data that it encrypted. AWS KMS does not delete any rotated key material until you delete the CMK.
An important concept in Key rotation is the HSM backing key(HBK):
(https://docs.aws.amazon.com/kms/latest/cryptographic-details/key-hierarchy.html)
Within the hierarchy of a specific CMK, the HBK can be thought of as a version of the CMK. When you want to rotate the CMK through AWS KMS, a new HBK is created and associated with the CMK as the active HBK for the CMK. The older HBKs are preserved and can be used to decrypt and verify previously protected data. But only the active cryptographic key can be used to protect new information.

Does that mean all my data will be decrypted by the old key and re-encrypted by the new one every month?
As already answered, the simple answer is no. But the previous answers miss the purpose of the key rotation
The reason behind the key rotation is limit amout of data encrypted by a single key.
How does AWS manage to rotate it's keys and all encrypted data for all the underlying services?
The basic idea (at least in KMS) is, that the KMS key is not a single key, but it is a set of keys, which the last one is the current one. You can imagine that as "key versioning". After each key rotation the current key is saved so you can still decrypt the previously encrypted ciphertext (data key - as mentioned in other answers). I believe in the KMS this whole set is hidden, but Azure KeyValt shows the whole set as key version.
The whole encryption-decryption would take a lot of time and compute resources
No, you don't need to do anything. AWS manages the "key versions" for you. Even if you'd re-encrypt the envelope keys as suggested in another answer, then you would actually fail to fulfill the purpose of the key rotation.
The ciphertext generated by the KSM must contain some identification of the key version too, so the KMS is able to decrypt the ciphertext even after the key is rotated.

Related

How does envelope encryption work in aws kms?

I have recently been reading about Amazon KMS, including envelope encryption. The source I used for envelope encryption (Free Code Camp) seems to consider 4 levels of envelope encryption (data encryption key, key encryption key, KMS master key and root KMS master key), as shown in the figure below:
On the other hand, what I have read in aws only seems to consider two levels (KMS key or key encryption key and data encryption key), as shown in the figure below:
Am I missing something here? Is this disparity only apparent?
Thanks in advance for your answers!
What you see here are just different levels of abstraction.
The upper diagram shows the whole chain of keys involved in creating data keys for encryption/decryption. It peeks under the hood of the KeyId abstraction.
The docs are quite extensive as cryptography is famously littered with pitfalls and edge cases, but here's my not entirely accurate but useful enough mental model of the process:
Through heavily-audited and secure random magic hardware appliances (HSMs) can come up with keys that (almost, except for replication) never leave the appliance. Besides creating these keys, HSMs can also encrypt and decrypt data using these keys as well as create more keys.
KMS exposes these HSMs in some ways to you. It allows you to manage these keys through the KMS API and create an abstraction called a master Key (there are different versions...) identified by a KeyId. This master key is not necessarily a single key (key material is what AWS uses in the docs).
Rather there are multiple keys under the hood, but they are not directly exposed to the user. The underlying keys can be rotated according to a schedule. Effectively this key is versioned, but only the most recent version is used to encrypt new data; older versions are only used to decrypt data.
The other keys in the chain in the diagram are pretty much just implementation details that you don't need to know unless you plan to audit KMS in which case my mental model won't be enough. In practice, the lower diagram is much more important.
The lower diagram shows what KMS looks like from a client that uses KMS to manage encryption keys to encrypt data in another system. To use KMS in a system, you only need to know the identifier of a KMS Key (KeyId) and have the appropriate permissions.
The flow looks like this for encryption:
You make a GenerateDataKey API Call to KMS and pass in the KeyId of the key you wish to use. KMS will then return (among other things) a plain text data key and an encrypted data key.
You use the plain text data key to encrypt your data locally and store the encrypted data alongside the encrypted data key. Next, you delete the plain text data key from memory.
For decryption the flow is as follows:
You read the encrypted data key from the encrypted object and make a call to the Decrypt API passing in the encrypted data key. Assuming you have permission, KMS will return the plain text data key [1][2].
You use the plain text data key to decrypt your encrypted data.
From the client's perspective, all you need to know about the keys that KMS uses is the KeyId (by default, there are more advanced features like encryption contexts).
[1] for symmetric encryption, it can infer the correct KeyId from the metadata, but as a best practice, you should send the KeyId as well.
[2] AWS infers the correct key-material for decryption from metadata in the encrypted blob.

KMS rotation process

I want to implement an envelope encryption using KMS.
I would encrypt few properties in a no sql db, is the first time that I'm doing it and for what I have read I will need to save my encrypted data key along the data.
My question is, at some point I would like to rotate the CMK key that KMS is using to encrypt the data key, for that scenario, I would need to write a process to re-encrypt my data key with the new CMK that KMS will use?, do I need to change the encrypted data key with a new one?
would need to write a process to re-encrypt my data key with the new CMK that KMS will use?, do I need to change the encrypted data key with a new one?
If you use automated rotation, you don't have to do anything in terms of data keys. They are not affected by rotation. From docs:
automatic key rotation has no effect on the data that the KMS key protects. It does not rotate the data keys that the KMS key generated or re-encrypt any data protected by the KMS key, and it will not mitigate the effect of a compromised data key.
But if you use manual rotation, you may have to re-encrypt everything. From docs:
If you manually rotate your imported or custom key store keys, you may have to re-encrypt your data depending on whether you decide to keep old versions of keys available.

AWS KMS Documentation

Can you please help me understand the meaning of sentence from KMS documentation
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
automatic key rotation has no effect on the data that the KMS key protects.
It does not rotate the data keys that the KMS key generated
or re-encrypt any data protected by the KMS key,
**and it will not mitigate the effect of a compromised data key.**
what does
... it will not mitigate the effect of a compromised data key.
mean in this context.
I need to enable KMS Rotation in multiple repos and I want to be 100% sure
Your CMK can create data keys, which you can use outside of AWS to manually encrypt and decrypt your data. The important thing about data keys is that they are symmetric. Which means same key is used for encryption and decryption of a secret.
If AWS rotation happens, it affects only key material stored in KMS. Any data keys generated before that, are not affected as they are for external use and are symmetric. The rotation only applies to the keys stored in KMS itself, not to data keys that you generated and used outside of AWS.
So if anyone has your data key, it can be used to decrypt your secretes, as rotation do not apply to these keys.
"It does not mitigate the effect of compromised key means"
For understanding sake consider KMS Key is a logic unit of two components
1.Key attributes (Key metadata) - Key ID, Key Specification , Key Usage etc
2.Reference to Key material
(In essence a KMS key means these two things)
There are three types of KMS Keys.
AWS owned keys - used by AWS for internal purpose
AWS managed Keys - used by AWS services - only metadata can be accessed
AWS CMK Keys - Customer can control the key but is managed by AWS on behalf of the customer
Data keys are generated from AWS KMS CMK Keys.
Firstly we have to understand What are data keys and how they are generated ?
Ans: As known KMS Keys do not leave the KMS modules. So the maximum file can encrypt is of the only 4KB. To encrypt more data we will be using a data key that is generated form the KMS Keys. Using envelope encryption the data key encrypts the data objects in EBS or S3 while data key is encrypted by KMS Key and stored where the data is stored unlike KMS Keys that do not leave the AWS KMS HSM Modules.
Now in case of key-rotation you are changing the key material you are not changing the Key metadata nor reference to the key material i.e .AWS will decrypt the data key by the KMS Key that it was encrypted aka the previous version of the KMS Key. We cannot instruct a particular version of KMS Key.

How to encrypt data in AWS RDS with AWS KMS on the column level?

I found that AWS RDS allows encrypting DB resources with AWS KMS. Because it is done inside the AWS infrastructure the encryption key can be easily rotated automatically. It is cool, but it is only encryption-at-rest.
I would additionally like to have encrypted some particular columns in the database. For example SSN. I would like to store them encrypted and decrypt them to display inside my application. Moreover, I would like to have an individual key for every user.
The main problem which I observed will be the rotation of the key. As I'm thinking to rotate the key for one user I would like to do this inside my application:
get a current encryption key from KMS
decrypt all the data from RDS encrypted with the current key
generate a new encryption key
encrypt everything again and store data in RDS
store the new key in the KMS
The main problem here would be to keep everything in a "transaction" - to "commit" if everything was fine and to "rollback" everything if anything went wrong.
I wonder if such keys rotation for the encryption at the columns level could be done inside the AWS infrastructure automatically. Do you have any ideas about that? Maybe you know any other, better approach for such a situation?
What problem are you solving by having individual keys per user? The KMS paradigm is to use policy to grant access to a Customer Master Key (CMK). As Mark pointed out above, there is a limit on the number of keys.
Have a look at this walkthrough
There is a section at the bottom about Key rotation strategies that might help:
"A recommended approach to manual key rotation is to use key aliases within AWS KMS. This allows users to always select the same key alias when configuring databases, while the key administrator rotates the underlying CMK. By keeping the old CMK, you allow any applications that currently use this key to still decrypt any data that was encrypted by it, as long as the CMK key policy still gives the AWSServiceRoleForRDS role permission as a Key User. It also allows for any new data to be encrypted with the new CMK."
I would additionally like to have encrypted some particular columns in the database.
Then I assume you will use a form of key wrapping ( data keys )
The main problem which I observed will be the rotation of the key
..
encrypt everything again and store data in RDS
store the new key in the KMS
The purpose of the key rotation is limit amount of data encrypted by a single key, not to re-encrypt the whole encrypted content.
Suggestion:
as already linked - encrypt your data using a random (per row?) data key.
encrypt the data key using the user-specific key.
encrypt the user-key with a KMS-key
Key Rotation (KMS) should be transparent for you with no action to do.
If you wish to manually rotate the user keys, you may, IMHO it is not so critical - the user keys are used to encrypt the data keys - relatively short data with high entropy.
IMHO the action by rotation taken should be creating a new key and preserving the old one for decryption purposes, not to re-encrypt all the database records
Are you using something like AWS Cognito to give each user temporary IAM permissions when they log in? Otherwise, I don't see the point of giving each user a separate KMS key, since you would be giving a single entity (your server) access to all the keys. Also note that there is a limit of 10,000 KMS keys in an AWS account. That's quite a bit, but if you have a website where anybody can sign up you might run up against that limit if you are assigning each user a key.
As for handling key rotation automatically, since you have to write the custom code to encrypt individual column values in your database, you will also have to write the code to perform all the steps of the key rotation process. You could create that as an AWS Lambda function and configure it to run "automatically", but it isn't something Amazon gives you out of the box without any custom code.

Field level encryption using AWS KMS and AWS CloudHSM

There is a requirement to implement additional level of security for an application. Let's say there is a table with 10'000'000 users. The sensitive fields are user.first_name and user.last_name. We need to encrypt that data before storing it into the database and later decrypt on the application level to show it on the UI.
As far as I can see the recommended way to do it with KMS is:
Write Part
call KMS service to get data key
encrypt the fields using data key
on the application level persist user record with encrypted fields into the database
Read Part
retrieve the record with encrypted fields from the database
decrypt the fields using data key
show the data on the UI
I have a set of questions that i need to clarify:
Does it make sense to use a new data key for each user?
10'000'000 users means 10'000'000 different data keys , what is the best practice to store them and access them from the machine that is doing decryption?
Is it ok to have a single data key for the whole user table?
What is the best practice to store a single key securely on local machine?
What will happen when accidentally the data key will be lost? Are there any recovery procedures?
The exact solution to be implemented should be decided based on the organization policy and the regulatory needs. However, the following points would hopefully help you develop a solution:
You can create a separate data key for each field by using a pseudo random number generator. The data key will be used to encrypt the raw data and then the data key itself will be encrypted using a common "Customer Master Key" from KMS. The encrypted data key will then be stored along with the encrypted data (first name and last name, in your case).
During decryption, the encrypted data key (stored along with the encrypted data) will be first decrypted using the master key from KMS and then the data will be decrypted using the data key
KMS can be configured to rotate the master key automatically every year. However, KMS keeps track of the old keys so that the encryption done with the old keys can be decrypted in the future even after the master key is rotated
The master key in KMS will be replicated across multiple Availability zones and therefore it is highly available
If you have more stringent security requirements, you may consider CloudHSM which stores the key in dedicated hardware that is not shared with other AWS customers
You can also use a KMS custom key store backed by CloudHSM. However, in that case the automatic key rotation will not be available