I was wondering if I can use AWS KMS with such a use case. I want KMS to decrypt data sent over my an on-prem system (so no KMS). I was hoping that KMS can store the secret key. The on-prem system will use the public key to encrypt the data. Is this a feasible way?
From what I read so far KMS uses symmetric encryption? I can do what I want by using KMS to encrypt/decrypt my secret key, but the downside there is my app will have the secret key in plain text when using it.
AWS KMS is for symmetric encryption only. There is no way to use KMS with asymmetric cryptography.
If you need this kind of functionality, you can use CloudHSM instead of KMS.
AWS KMS supports the following asymmetric key types - RSA 2048, RSA 3072, RSA 4096, ECC NIST P-256, ECC NIST P-384, ECC NIST-521, and ECC SECG P-256k1.
Related
I would like to better understand this
On AWS Encryption SDK
The AWS Encryption SDK cannot decrypt the ciphertext that the AWS KMS Encrypt or ReEncrypt operations return. Similarly, the AWS KMS Decrypt operation cannot decrypt the encrypted message the AWS Encryption SDK returns.
Source
On AWS KMS
The Decrypt operation also decrypts ciphertext that was encrypted outside of AWS KMS by the public key in an AWS KMS asymmetric KMS key. However, it cannot decrypt ciphertext produced by other libraries, such as the AWS Encryption SDK or Amazon S3 client-side encryption. These libraries return a ciphertext format that is incompatible with AWS KMS.
Source
My questions is :
If we choose the same standard algorithm, why the raw ciphertext will differs?
AWS KMS is already compatible with other libraries like OpenSSL but why AWS said "it cannot decrypt ciphertext produced by other libraries"? how to know the limit of compatibility with these libraries (like openssl bouncycastle, wolfssl, mbed TLS, etc.)?
Can we import PGP encryption key in Google could KMS and use that key decrypt the files in google storage ?
In the documentation, you can find the list of supported key type. PGP private keys aren't supported. You can store it in secret manager (and, behind the scene, KMS will be used to encrypt your secret).
Or you can encrypt it manually. Generate an encryption key with Cloud KMS, encrypt the PGP private key, and store the encryption somewhere (in your app, in GCS, in Git repo,...). The only thing that you have to do when you want to use it is to perform the opposite process and decipher the PGP private key with Cloud KMS.
I have created a RSA key (Asymmetric Key) in Google KMS. while trying to use it in GKE using Application-layer Secrets. the asymmetric keys are not getting loaded.
enter image description here
Google Cloud Kubernetes requires AES encryption. This is a symmetric encryption algorithm.
Symmetric-key algorithm
Encryption keys have a purpose. Common types are ASYMMETRIC_DECRYPT and ENCRYPT_DECRYPT.
KMS: Key purposes and algorithms
RSA keypairs provide asymmetric encryption which is not supported.
Public-key cryptography
Encrypt secrets at the application layer
Typically RSA keys are used to exchange information (secrets, random numbers, etc) that is used to generate a symmetric encryption key. Encryption using RSA keys is expensive in CPU time, encryption using symmetric keys is very fast in comparison.
I am expecting very high traffic on one of my services, and I would like to add encryption for a new feature. I know KMS makes an API call each encrypt/decrypt call, but is it possible to use KMS for key management and cache the keys in memory to encrypt/decrypt locally without additional API calls?
The KMS key never leaves its hardware. That's it.
By default the KMS is intended for the envelope encryption. There is a data encryption key and KMS is used to encrypt the data key.
You can call the KMS to generate a random data key along the its encrypted value and then use the data-key to encrypt the data itself.
If you are encrypting for the same system (data are encrypted for the same target ), you may reuse the same data key and use a unique IV to encrypt multiple messages.
Edit: I'd suggest using the AWS Encryption SDK a bit helping the developers to do it properly
I'm looking for a way to use aws-kms for RSA signing of arbitrary byte array. I was wondering if there is an API for that in aws-kms, or some building blocks that can be used together to build that.
Thanks!
KMS only generated symmetric data key and KMS key material is also symmetric. I believe it is not possible using KMS. Consider using CloudHSM.