AWS Encryption KMS CMKs
AWS KMS CMKs (Customer Master Keys) are the fundamental resources that AWS KMS manages.
CMKs can never leave AWS KMA unencrypted, but data? keys can.
AWS KMS uses envelope encryption to protect data.
1.AWS KMS create data key
2. encrypts it under a CMK
3. and returns plaintext and encrypted versions of the data key
You can retrive a plaintext data key only if you have the encrypted data key and you have permission to use the corresponding master key.
Encryption context is a set of key/value pairs that you can pass to AWS KMS when you call the:
-Encrypt
-Decrypt
-reencrypt
-Generate DataKey
-Generate DataKey Without PlainText API
-Although the encryption context is not included in cipher text, it is cryptographically bound to the ciphertext during ejncryption and must be passed again when you call the Decrypted ( or Recrypt) API.
Invalid ciphertext for decryption is plaintext that has been encrypted in a diffrent AWS account or ciphertext that how been altered since it was orginally encrypted.
1. in Transit
a) SSL/TLS
2. At rest
a) server Side Encryption
-S3Managed Keys - SSE-S3
-SSE-KMS
*seperete promotion for envelop key
*order trail + when by
who key is used
-SSE-C -> client provides keys
b) client side encrypion
Data encrypted EBS:
-data at rest inside the volume
-all data moving between the volume and instance
-all snapshots created from the volume
-all volumes created from those snapshots
CMKs can never leave AWS KMA unencrypted, but data? keys can.
AWS KMS uses envelope encryption to protect data.
1.AWS KMS create data key
2. encrypts it under a CMK
3. and returns plaintext and encrypted versions of the data key
You can retrive a plaintext data key only if you have the encrypted data key and you have permission to use the corresponding master key.
Encryption context is a set of key/value pairs that you can pass to AWS KMS when you call the:
-Encrypt
-Decrypt
-reencrypt
-Generate DataKey
-Generate DataKey Without PlainText API
-Although the encryption context is not included in cipher text, it is cryptographically bound to the ciphertext during ejncryption and must be passed again when you call the Decrypted ( or Recrypt) API.
Invalid ciphertext for decryption is plaintext that has been encrypted in a diffrent AWS account or ciphertext that how been altered since it was orginally encrypted.
1. in Transit
a) SSL/TLS
2. At rest
a) server Side Encryption
-S3Managed Keys - SSE-S3
-SSE-KMS
*seperete promotion for envelop key
*order trail + when by
who key is used
-SSE-C -> client provides keys
b) client side encrypion
Data encrypted EBS:
-data at rest inside the volume
-all data moving between the volume and instance
-all snapshots created from the volume
-all volumes created from those snapshots
Komentarze
Prześlij komentarz