AWS || KMS for Database TDE
I received an email from one of our customers regarding their international locations where they are running databases on IaaS. Currently, they are storing the Transparent Data Encryption (TDE) certificate locally on the same system, which poses a security risk.
To mitigate this risk, they want to explore the option of using AWS Key Management Service (KMS) Customer Master Key (CMK) for TDE encryption instead of storing the certificate locally.
Specifically, they are asking if AWS KMS CMK can be used for TDE encryption with the following databases:
Microsoft SQL Server [ self hosted on EC2]
Oracle [ self hosted on EC2]
Could you please look into this and provide any relevant information or guidance we can share with the customer? It would be greatly appreciated if you could also share any best practices, considerations, or potential challenges we should be aware of when using AWS KMS for TDE encryption with these databases.
- Newest
- Most votes
- Most comments
Hello,
You will not be able to use KMS for TDE configuration since TDE is native engine feature and the keys have to be generated from the database itself. But you will be able to store the generated key in AWS CloudHSM. For more information, please check below documents.
- Oracle database transparent data encryption (TDE) with AWS CloudHSM - https://docs.aws.amazon.com/cloudhsm/latest/userguide/oracle-tde.html
- AWS CloudHSM Use Cases (Part One of the AWS CloudHSM Series) - https://aws.amazon.com/blogs/security/aws-cloudhsm-use-cases-part-one-of-the-aws-cloudhsm-series/
Not sure if running DB instance on self-hosted EC2 is a requirement but RDS offers KMS integration: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.Keys.html
Relevant content
- asked a year ago
- asked 5 months ago
- asked 8 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
check out this blog - https://aws.amazon.com/blogs/security/architecting-for-database-encryption-on-aws/
@rePost_koushald - My response is specific to database TDE (Native engine feature). We can use KMS for encryption in RDS (EBS level) but not in database TDE configuration. In the blog link you have shared above, it is clearly mentioned that you can use KMS to encrypt the RDS (Means the EBS attached in the underlying host) but not with TDE feature which comes as native engine feature.
For the databases hosted on EC2 also, you can use KMS to encrypt the EBS only but you cannot use KMS to configure database TDE (Native engine feature).