By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

When implementing envelope encryption with AWS KMS, is it desirable to generate a data key every time the server restarts? Which cycle would you prefer?

0

Let me explain my current situation

  1. We will implement envelope encryption utilizing aws kms.
  2. Save the data to the db in the format of "encrypted data key + encrypted text".
  3. The validity period of the data key is 2 years, and data must be re-encrypted with a new data key immediately before expiration.
  4. The generated encrypted datakey cannot be stored alone in db but able above form.
  5. I want to store the generated data key in the cache and retrieve it.

Question: Is there any way to know the datakey used just before when the server restarts without saving it to the db? There doesn't seem to be an API for querying data keys. Generating a new key every time the server restarts complicates the logic when re-encrypting the data key later (I'm not sure).

However, I don't want to use other aws services (e.g. S3). If I need to use it, I want to save it to the vault I was using. However, I don't want to use this method as it seems to create dependencies on other services.

However, retrieving the "encrypted data key + encrypted text" value from the db to retrieve the plaintext key for kms with the encrypted data key seems too legacy.

However, if the datakey is created every time the server is restarted, I don't think there is a need to process it first... How about doing it this way... -> This method seems to create difficult rencrpytion logic, but I'm willing to do it if this is best practice.

What are the best practices..?

Topics
Security, Identity, & Compliance
Tags
AWS Key Management ServiceEncryption
Language
English
rePost-User-5140398
asked a year ago355 views
1 Answer
0

Not sure I understand the scenario completely, but data keys are usually long lasting, and do not need to be rotated unless there's a data breach and you need to manually re-encrypt data.

Key rotation means that the data key is decrypted using the old KMS key and then re-encrypted with a new KS key. Data keys should be stored in a persistent store, even if they are not stored with the encrypted data itself.

AWS
Tushar A
answered a year ago
  • rePost-User-5140398
    a year ago

    Thank you for answering. By national law, it must be rotated every two years and then destroyed. We are also considering a storage like vault because we can't even store it in our own db for the same reason. That's why I don't want to create a lot of data keys, so I try to use generatedDatakey once every two years.

    So, without these constraints, what best practice would be to know when to use generateDataKey? it sounds like you could use generateDataKey virtually infinitely.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content