By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

What's the best practice to store encrypted key with data when we store in Andes

0

Hi,

My team uses KMS key to do column level encryption for our dataset storing in Andes table, we use a cradle job to encrypt and write the output to Andes table. The cradle job will be set to run backfill, every timr it runs, a batch of new data will be encrypted and add to the same Andes table. Since KMS key generate random plain data text key everytime we call it, we'll need to associate each row of data with the key to encrypt it so we'll be able to decrypt using the same key. KMS documentation recommends to store the encrypted data key with the encrypted data, but didn't more specified guidance on use case like ours. So anyone has handled similar use case? Any recommendation on how to store the encrypted key?

Topics
Security, Identity, & Compliance
Tags
AWS Key Management ServiceEncryption
Language
English
rePost-User-7760515
asked a year ago288 views
1 Answer
0

According to the AWS Encryption SDK FAQ:

How do I keep track of the data keys that were used to encrypt my data?

The AWS Encryption SDK does this for you. When you encrypt data, the SDK encrypts
 the data key and stores the encrypted key along with the encrypted data in the 
encrypted message that it returns. When you decrypt data, the AWS Encryption 
SDK extracts the encrypted data key from the encrypted message, decrypts it, 
and then uses it to decrypt the data.

How does the AWS Encryption SDK store encrypted data keys with their encrypted data?

The encryption operations in the AWS Encryption SDK return an encrypted message, 
a single data structure that contains the encrypted data and its encrypted data keys. 
The message format consists of at least two parts: a header and a body. The message 
header contains the encrypted data keys and information about how the message 
body is formed. The message body contains the encrypted data. If the algorithm suite 
includes a digital signature, the message format includes a footer that contains the 
signature. For more information, see AWS Encryption SDK message format reference.
profile pictureAWS
EXPERT
kentrad
answered a year ago
  • rePost-User-7760515
    a year ago

    Hi, thanks for your answer. I think our use case is different because we don't store our data with kms. basically we use the encrypted key outside of aws to do the encryption.

  • kentrad EXPERT
    a year ago

    You don't have to run the AWS Encryption SDK code inside of AWS or store the encrypted object in AWS. I really think the SDK is the answer you are looking for.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content