Envelope Encryption in AWS - KMS

• Preface ✉️
• The Problem
• Introducing AWS Key Management Service
• AWS KMS Key Points 🔑
• KMS Encryption Example
• KMS Decryption Example
• KMS Keywrapping Benefits 👍

Preface ✉️

In this article I will be discussing how envelope encryption works in relation to AWS Key Management Service (KMS). In order to understand the key points of this article, the reader should have at a basic understanding of the following topics; encryption (asymmetric/symmetric), AWS KMS, and some of the common AWS products(eg. S3).

It should be noted that envelope encryption is simply a technique that can be used to safeguard data using layers of keys. Envelope encryption uses a separate symmetric key for every piece of data. The symmetric key is itself is encrypted with a different symmetric key.

You can learn more about AWS KMS for future reading with the official resource AWS KMS.

Let's now get into the details behind how this works with AWS KMS.

The Problem

When considering encryption, a fundamental issue that arises consistently, is what method of encryption to use, asymmetric or symmetric. The root of the dilemma is revolves around a trade-off between security and performance.

Let's look a the details of each form of encryption.

Symmetric Encryption:

Pros: Symmetric encryption is typically faster and more efficient than asymmetric encryption because it uses a single secret key for both encryption and decryption. This makes it well-suited for encrypting large amounts of data and for high-performance requirements.

Cons: The challenge with symmetric encryption is key management. Since the same key is used for both encryption and decryption, securely sharing and managing this key among parties can be complex, especially in scenarios where multiple parties need access to the data.

Asymmetric Encryption:

Pros: Asymmetric encryption, also known as public-key encryption, offers strong security and key management benefits. It uses a pair of keys: a public key for encryption and a private key for decryption. This enables secure data sharing without sharing the private key, making it suitable for secure communications over untrusted networks and secure user authentication.

Cons: Asymmetric encryption is computationally more intensive and slower than symmetric encryption. Encrypting and decrypting data with asymmetric keys is resource-intensive, which can impact performance, especially when handling large volumes of data.

In summary, symmetric encryption requires less overhead, but requires sharing the key. Sharing the key will require doing so securely, thus returning to the original problem we are trying to solve. On the other hand, asymmetric encryption has strong security since we can encrypt data and never share the private key, however it is computationally expensive to use.

Introducing AWS Key Management Service

Definition: AWS Key Management Service (KMS) is a managed encryption service provided by Amazon Web Services (AWS). It allows you to create and manage cryptographic keys used for data encryption within your AWS applications and services. AWS KMS helps you protect sensitive data by providing a central location for managing encryption keys, making it easier to implement strong security practices.

KMS Features:

1. Key Creation and Management: AWS KMS enables you to create and manage encryption keys used to encrypt and decrypt data. It supports both symmetric keys (used for data encryption) and asymmetric keys (used for signing and verifying data).

2. Integration with AWS Services: Many AWS services, such as Amazon S3, Amazon RDS, and AWS Lambda, integrate seamlessly with AWS KMS. You can use AWS KMS to encrypt data stored in these services and control access to the encryption keys.

3. Fine-Grained Access Control: AWS KMS allows you to define fine-grained access policies to specify who can use specific keys for encryption and decryption. This helps you enforce access controls and data protection.

4. Key Rotation: AWS KMS supports key rotation, allowing you to automatically or manually rotate keys to enhance security and compliance.

5. Auditing and Monitoring: AWS KMS provides detailed audit logs through AWS CloudTrail, enabling you to monitor key usage and access.

6. Integration with Custom Applications: You can use the AWS SDKs and APIs to integrate AWS KMS with your custom applications, ensuring that encryption keys are managed securely.

7. Multi-Region Support: AWS KMS offers multi-region support, allowing you to create and replicate keys in multiple AWS regions for disaster recovery and high availability.

8. Compliance and Security: AWS KMS is designed to meet various compliance standards and provides strong security controls to protect your data.

AWS KMS Key Points 🔑

Now that we have an idea on what KMS is, let's discuss some features along with a practical example to enhance our understanding.

KMS manages KMS keys which are used to encrypt data (read other encryption keys) which are less than 4mb in size.

It is also vital to note that AWS KMS has its own permissions. This is a crucial security feature of KMS since you cannot do anything with KMS unless you have very specific permission to interact with the KMS service.

A Key Encryption Key (KEK)is either a symmetric/asymmetric key in KMS. It is used to encrypt certain keys (discussed next) which encrypt the actual data, A KEK stays within KMS and is managed by the KMS service. You cannot directly access these types keys. 🔐

Data Encyption Keys (DEK) however, are encryption keys which are created by KMS, yet are not managed by KMS. DEK are managed by the person or service that generates them. These are used to encrypt or decrypt data.

Note 💡: We can use a KEK to generate as many unique DEK as we want to encrypt each piece of data within a given resource.

KMS Encryption Example

Let's say we have provisioned a S3 bucket to store some photos we want to keep secure. We would generate a separate DEK for each image we wanted to encrypt.

KMS would use a KEK to generate two copies of this key:

1. One copy would be used to encrypt a single image. This DEK would then be discarded.
2. The second copy of the DEK would be encrypted with the KEK.
3. Both the image and encrypted DEK would be stored together in the S3 bucket.

As mentioned above, a separate DEK can be used to encrypt every piece of data. What this accomplishes is that should a key (DEK) get leaked, the key on its own would be useless without the KEK to decrypt it. Should a key somehow become unencrypted, the scope of the breach would be limited to one image (in the example we are using). The remaining images would still be encrypted and secure since they each have their unique DEK encryption.

Keep in mind KEK never leave KMS and KMS also requires permissions for interaction. One cannot directly access a KEK.

KMS Decryption Example

So how do we go about decrypting our images? Let's take a look:

1. A request is made to KMS to decrypt the DEK that is stored with the picture we want to access.
2. Since KMS does not manage DEKs, the DEK is passed to KMS.
3. The permission of our service (S3) needs to have permission from KMS to decrypt the DEK.
4. If allowed, KMS will return a copy of the DEK in plaintext which can be used to obtain access to the picture.
5. The plaintext DEK is discarded.

KMS Keywrapping Benefits 👍

• As we can see from the examples used, KMS is a great way to use the wrapped key architecture to manage keys at scale.
• There is a big security benefit of KMS having isolated permissions.
• The Key Encryption Keys (KEK) are kept safe since they cannot be accessed directly.
• Services, individuals must have permissions to access KMS.
• Each piece of data can be encrypted using a separate symmetric Data Encryption Key (DEK).
• KMS allows us to encrypt our data security using symmetric encryption. This reduces computational overhead.
• Only the encrypted DEK needs to be passed to KMS (instead of the actual object) for decryption.
• Using a separate DEK with a secured KEK allows us to minimize the blast radius of any potential compromises.