By using AWS re:Post, you agree to the Terms of Use

Questions tagged with AWS Crypto Tools

Sort by most recent
  • 1
  • 12 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

AWS instance end Credentials

Good afternoon. I want to apologize for the possibly wrong question. I am not a native English speaker and my question may be misunderstood. But I will try to ask my question as correctly as possible in order to find a way to solve it. There is a client-server application. The client has an instance. The server is in the Enclaves. In order for the client to connect to the server, the client must send a request to Credenshales. On the client, the script creates a file that temporarily creates credentials for such a connection. These credentials are copied from the server's memory and copied into this file. (temporarily) This file is then deleted. I would like to somehow protect myself and somehow encrypt this file or find an alternative **SAFE** solution how to bypass this process and use other tools that Amazon AWS has. Is it possible to somehow automate this process and make the transfer of credentials that the client takes from the server and inserts into its application. Because the credentials are temporarily stored unencrypted, I think this is a serious vulnerability for my application. It is enough for me to give an idea to solve my problem. Then I'll try to figure it out myself. AWS contains a fairly large amount of materials and it is very difficult to find the right topic. I am sure that in his tools he will be able to offer a solution to my problem. Thanks.
2
answers
0
votes
78
views
asked 4 months ago

Application side data protection with FIPS 140-2 Level 3 : what to use out of Encryption SDK, KMS or Cloud HSM?

Hello there, I do have a requirement in my application to encrypt and decrypt data using a symmetric key algorithm (mostly AES/CBC/PKCS5Padding). CONSTRAINT and Requirements are 1. I need to use FIPS 140-2 Level 3 compliant key storage solution 2. This is an existing encrypted data and hence I should be able to import my existing keys (plain keys) to whatever solution I use. 3. Even in the future, keys should be open for EXPORT so that encrypted data with this new solution WILL NOT require another re-encryption with new keys. Keeping the above points in mind, I came across below solutions so far and need guidance and help if someone finds that not a good solution or it will break any of the above requirements I listed. 1. I can use AWS Encryption SDK with AWS KMS using a custom key store where the custom key store would be my own Cloud HSM. 2. I can directly use Cloud HSM by leveraging standard Cloud HSM integration using Cloud HSM JCE provider and client SDK. 3. I can AWS KMS with KMS API with a custom key store where the custom key store would be my own Cloud HSM. I knew #2 will work without breaking any of my requirement and compliance list but I want to see if I can use Encryption SDK and/or KMS for my use case as I can get help of SDK to choose best industry practices to write cryptography code instead of I write whole code (in case of Cloud HSM integration) but below points will stop me. 1. Custom key stores can not work with imported keys so it will break my requirement #2. 2. I can use AWS Encryption SDK with KMS but as import does not work for custom key stores, it's not usable any more. Can I use AWS Encryption SDK somehow to help me with data encryption directly with Cloud HSM? 3. Data enveloper protection (by AWS Encryption SDK) is really more secure for symmetric key encryption. If I use that today and later want to move to Cloud HSM, will it break the decryption flow? Any suggestion/experience learning/insights or architectural direction is greatly appreciated.
1
answers
0
votes
130
views
asked 6 months ago
  • 1
  • 12 / page