I'll do some data import form the third-party. They required me to provide a PGP public key with which they encrypt data. I don't want to generate key pairs on my machine so I'm looking at hosted solution and wondering if we can use AWS KMS (we already use AWS services as infra).
Is it possible to use KMS for that? If not what would be good way to achieve this on AWS?
Related
Can we import PGP encryption key in Google could KMS and use that key decrypt the files in google storage ?
In the documentation, you can find the list of supported key type. PGP private keys aren't supported. You can store it in secret manager (and, behind the scene, KMS will be used to encrypt your secret).
Or you can encrypt it manually. Generate an encryption key with Cloud KMS, encrypt the PGP private key, and store the encryption somewhere (in your app, in GCS, in Git repo,...). The only thing that you have to do when you want to use it is to perform the opposite process and decipher the PGP private key with Cloud KMS.
I know we can select a KMS (customer or AWS managed) key when creating our RDS database.
However I find the documentation quite vague about the different processes so I've got the following questions:
Does it mean that only one datakey will be used for the whole database to encrypt everything ?
Where exactly is the encrypted version of the data key located ?
When does RDS decrypt the encrypted datakey to use it ?
How often does RDS need to make an API call against KMS to decrypt the encrypted version of the data key it keeps ?
Does it mean that only one datakey will be used for the whole database
The documentation really doesn't specify any details. Based on the aws best practices and other documentation I'd assume the data key is cached and reused for certain time and then regenerated.
However the details are not publicly available. All the storage encryption is hidden under the hood and not visible to the client
How often does RDS need to make an API call against KMS to decrypt the encrypted version of the data key it keeps ?
AWS KMS calls are logged in the CloudTrail and you will see the calls on the bill as well. At least for the CMK (I'm not sure how is it for the default service KMS).
I am connecting my app to third party email service using the registered API key.
Since it is a sensitive information I would like to store it in some encrypted place and retrieve it from there.
As I am already using AWS Lambda, so for this use-case is it better to use Dynamo DB or S3 bucket to store the API key?
Parameter store is also a good option. It is possible to store encrypted data and more easy to manage than via Secret Manager.
https://aws.amazon.com/en/systems-manager/features/
For just storing API key, both S3 and DynamoDB are not the best option.
The simplest solution will be SecureString in ParameterStore.
Alternatively, you can use lambda encrypted environment variable if you want to encrypt with a specific KMS key. Then in your lambda code you decrypt the env variable.
If you do the second approach in many lambdas, then consider put this code for decryption in a lambda layer.
For my future projects, I would store secrets in the SSM ParameterStore and then make the secrets available to my lambdas as encrypted during the deployment phase. The lambdas can then use the KMS key to decrypt it during runtime.
The parameter store has a 120 requests per second limit, this way we can prevent us from hitting the limit.
Beginner here. How can I access an encrypted bucket. I read the documentation and it doesnt clearly state how will I create an encrypted bucket besides the default encryption option and bucket policy. I cant use a KMS key for the encryption
I checked this AWS Server-Side Encryption C# but I dont know where I will get the following
ServerSideEncryptionCustomerMethod =AES256
ServerSideEncryptionCustomerProvidedKey=base64(secretkey)
ServerSideEncryptionCustomerProvidedKeyMD5 : md5(base64(secretkey))
Could you please simplify or discuss the steps.
Has anybody tried to use AWS KMS on Heroku?
On one hand, Heroku runs on AWS, so presumably it should work.
On other hand, I haven't seen any references that it was used in Heroku.
My main goal is to be able to get an encryption key from a hardware secure module (vs hardcoding it in my code or putting it in an environmental variable).
There is no reason why you should not be able to call a KMS endpoint from anywhere you have internet connectivity.
You still need to have an access key and secret access key for the AWS account you are using and that account needs to have permissions on KMS.
You will need to distribute the encrypted stuff and the aws keys to your Heroku instance. You can then decrypt and use KMS from there.
One thing that it worth mentioning: when using KMS you never see the actual key KMS uses. You can create the key, you can encrypt and decrypt, and/or you can have permissions on the specific API operations, but you cannot get the plaintext key.
What you normally do is some sort of envelope encryption in which you generate your own key and encrypt it via KMS and send the encrypted key and the encrypted data to the destination.