In many areas of IT, we have to learn to managing key. This could be simple stuff such as usernames and passwords, but also more complicated topics such as encryption keys. While I’m not an encryption key expert per se, I do know enough about them to get a number of things done. But more importantly, I know that they need to be fully protected.

With the recent news of Amazon launching Server Side Encryption (SSE) for data-at-rest encryption, this is another reminder to me of the critical nature of key management. The Amazon solution allows 256-bit AES encryption to be performed locally on data before it is uploaded into the S3 storage cloud. Further, there is an option within the encryption client provided by the AmazonS3EncryptionClient class to leverage APIs to do the encryption locally with self-managed keys before transferring to S3. Given the popularity of public cloud computing and the inevitable increase in its use, it’s critical to refine some best practices on key management for cloud applications.

We can borrow a few tricks from the things we’ve always done on key management, such as ensuring encryption keys are used for backups that go offsite.

  • Limit the number of encryption keys in use (but protect them very well) and spread out the encryption. For example, if you lose one key somehow, don’t make that bring down your whole encryption algorithm.
  • Store the keys on a mechanism with robust auditing, including reads on a file system as well as any other access. That way, any activity (even a read) is logged for any forensic requirement.
  • Issue an escrow copy of newly rotated encryption keys to an internal security team or external software escrow agency. Limited information on what the keys are for may need to be provided, but the takeaway is that a backup or check-and-balance of the protection of the keys is made.

In the case of Amazon SSE, cloud solution administrators will be able to manage keys for data going in and out of cloud applications for S3 data transfers. Currently for Amazon’s Elastic Block Store storage resources (EBS), SSE is not supported. I personally don’t think SSE would be capable on EBS, but a new encryption mechanism may be available or used within AMIs to provide at-rest encryption of data traveling to, through, and from the Amazon clouds.

How does SSE give more confidence to your S3 data storage strategy? Share your comments below.