Three types of SSE supported.
- SSE-C - client provides data encryption key for every get/put object calls. AWS S3 does not store client provided data encryption key. Client provided data encryption key may be generated by AWS KMS for every get/put object calls. It is user responsibility to securely save/map data encryption keys generated by KMS and AWS S3 does not store any data encryption key.
- SSE-S3 - client does not provide any encryption key for any get/put object calls. AWS S3 uses one single key (generated at first time) to encrypt/decrypt objects. Accordingly AWS docs, this key is stored along with object data.
- SSE-KMS - client provides Customer Master Key (CMK) for any get/put object calls. AWS S3 uses client's provided CMK to generate data keys using KMS to encrypt/decrypt objects. This data key is encrypted using KMS and is stored along with object data.
Below bucket policy prevents uploading unencrypted objects (even by owner/auth user).
- SSE-KMS:
{
"Version":"2012-10-17",
"Id":"PutObjPolicy",
"Statement":[{
"Sid":"DenyUnEncryptedObjectUploads",
"Effect":"Deny",
"Principal":"*",
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::YourBucket/*",
"Condition":{
"StringNotEquals":{
"s3:x-amz-server-side-encryption":"aws:kms"
}
}
}
]
}
- SSE-S3:
{
"Version": "2012-10-17",
"Id": "PutObjPolicy",
"Statement": [
{
"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::YourBucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::YourBucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
- KMS provides API to create Customer Master Key (CMK) which is not retrievable.
- KMS provides APIs to encrypt/decrypt data of max. 4KiB size.
- KMS provides APIs to generate data keys using CMK.
- KMS is not a vault i.e. there is no way user generated keys (even data keys generated by KMS) are stored in KMS.
- KMS uses HSMs underneath.
- KMS is a general purpose key management service it can be hooked into any AWS services like S3 (or even services outside of AWS).
- In simple words, it is encrypted key/value store.
- All keys/values are stored in vault. It comes with default expiry time and sealing/unsealing.
- It also provides ecnrypt/decrypt functions like AWS KMS.
- By default, it is not HA and fault tolerance. The recommendation is to use Consul as data store which provides HA and fault tolerance.
- It is encrypted key/value store along with AWS KMS features.
- It uses HSM to perform encrypt/decrypt operations.
- It is same as Hashicorp Vault written in Java.
https://gist.github.com/maxvt/bb49a6c7243163b8120625fc8ae3f3cd is nice work of comparing various key management systems.
I don't think so. KMS does not store data keys. KMS only store master keys which are used to encrypt data keys. Data keys are (probably) embedded into object metadata in encrypted form. Storing all data keys in KMS is an approach which does not scale.
FYI: https://www.youtube.com/watch?v=WEJ451rmhk4
Not necessarily - HSM can be part of KMS (AWS claims to do so) but it is not a requirement.
For example KMS can be strictly controlled server(s) running on my own machines while I deploy minio servers in a cloud...