Skip to content

Instantly share code, notes, and snippets.

@balamurugana
Last active June 21, 2018 22:35
Show Gist options
  • Save balamurugana/0d15c2d67aee17d8826d73774b7f9c00 to your computer and use it in GitHub Desktop.
Save balamurugana/0d15c2d67aee17d8826d73774b7f9c00 to your computer and use it in GitHub Desktop.

Service Side Encryption (SSE) in AWS S3:

Three types of SSE supported.

  • SSE-C - client provides data encryption key for every get/put object calls. AWS S3 does not store client provided data encryption key. Client provided data encryption key may be generated by AWS KMS for every get/put object calls. It is user responsibility to securely save/map data encryption keys generated by KMS and AWS S3 does not store any data encryption key.
  • SSE-S3 - client does not provide any encryption key for any get/put object calls. AWS S3 uses one single key (generated at first time) to encrypt/decrypt objects. Accordingly AWS docs, this key is stored along with object data.
  • SSE-KMS - client provides Customer Master Key (CMK) for any get/put object calls. AWS S3 uses client's provided CMK to generate data keys using KMS to encrypt/decrypt objects. This data key is encrypted using KMS and is stored along with object data.

Below bucket policy prevents uploading unencrypted objects (even by owner/auth user).

  • SSE-KMS:
{
   "Version":"2012-10-17",
   "Id":"PutObjPolicy",
   "Statement":[{
         "Sid":"DenyUnEncryptedObjectUploads",
         "Effect":"Deny",
         "Principal":"*",
         "Action":"s3:PutObject",
         "Resource":"arn:aws:s3:::YourBucket/*",
         "Condition":{
            "StringNotEquals":{
               "s3:x-amz-server-side-encryption":"aws:kms"
            }
         }
      }
   ]
}
  • SSE-S3:
{
  "Version": "2012-10-17",
  "Id": "PutObjPolicy",
  "Statement": [
    {
      "Sid": "DenyIncorrectEncryptionHeader",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::YourBucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    },
    {
      "Sid": "DenyUnEncryptedObjectUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::YourBucket/*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption": "true"
        }
      }
    }
  ]
}

AWS KMS:

  • KMS provides API to create Customer Master Key (CMK) which is not retrievable.
  • KMS provides APIs to encrypt/decrypt data of max. 4KiB size.
  • KMS provides APIs to generate data keys using CMK.
  • KMS is not a vault i.e. there is no way user generated keys (even data keys generated by KMS) are stored in KMS.
  • KMS uses HSMs underneath.
  • KMS is a general purpose key management service it can be hooked into any AWS services like S3 (or even services outside of AWS).

Hashicorp Vault:

  • In simple words, it is encrypted key/value store.
  • All keys/values are stored in vault. It comes with default expiry time and sealing/unsealing.
  • It also provides ecnrypt/decrypt functions like AWS KMS.
  • By default, it is not HA and fault tolerance. The recommendation is to use Consul as data store which provides HA and fault tolerance.

Azure Vault:

  • It is encrypted key/value store along with AWS KMS features.
  • It uses HSM to perform encrypt/decrypt operations.

Keywhiz:

  • It is same as Hashicorp Vault written in Java.

https://gist.github.com/maxvt/bb49a6c7243163b8120625fc8ae3f3cd is nice work of comparing various key management systems.

@harshavardhana
Copy link

s/menagement /management at the last line.

@aead
Copy link

aead commented Feb 19, 2018

KMS is not a vault i.e. there is no way user generated keys (even data keys generated by KMS) are stored in KMS

I don't think so. KMS does not store data keys. KMS only store master keys which are used to encrypt data keys. Data keys are (probably) embedded into object metadata in encrypted form. Storing all data keys in KMS is an approach which does not scale.
FYI: https://www.youtube.com/watch?v=WEJ451rmhk4

KMS uses HSMs underneath

Not necessarily - HSM can be part of KMS (AWS claims to do so) but it is not a requirement.
For example KMS can be strictly controlled server(s) running on my own machines while I deploy minio servers in a cloud...

@balamurugana
Copy link
Author

balamurugana commented Feb 20, 2018

@aead

I don't think so. KMS does not store data keys. KMS only store master keys which are used to encrypt data keys. Data keys are (probably) embedded into object metadata in encrypted form. Storing all data keys in KMS is an approach which does not scale.
FYI: https://www.youtube.com/watch?v=WEJ451rmhk4

The point says same thing other than I don't think so or I am not able to understand your comment.

Not necessarily - HSM can be part of KMS (AWS claims to do so) but it is not a requirement.
For example KMS can be strictly controlled server(s) running on my own machines while I deploy minio servers in a cloud...

KMS uses HSMs is from AWS. Could you point me where AWS says it is not used in AWS KMS?

Note that this gist does not say anything about SSE design in minio server and it is not the goal here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment