Published on

Envelope Encryption: Boosting Cloud Security with KMS

Authors

Before the advent of the cloud computing era, data encryption was a very important topic. Looking back, when I read Chapter 7. Cryptography Basics of 'Practical Unix & Internet Security' in prehistory, I learned a lot about how cryptography is important for the security architecture of back-end services. Even in today's cloud computing era, this technology can still play a very important role.

In today's ever-evolving digital landscape, data security is more important than ever. Cloud-based storage and services have become increasingly popular, but with that comes the challenge of ensuring data remains secure and confidential. One essential technique in the realm of cloud security is envelope encryption, which provides an additional layer of protection for large data files. In this blog post, we'll dive into the concept of envelope encryption, its significance for cloud security, and how to implement it using AWS Key Management Service (KMS) and OpenSSL.

Envelope encryption is a technique that combines symmetric and asymmetric encryption methods to protect large volumes of data efficiently. The process involves encrypting a file using a symmetric data key, which is then encrypted using a master key, typically provided by a key management service like AWS KMS. The encrypted data key and the encrypted file are stored together, while the master key remains securely stored in the key management service.

The main advantage of envelope encryption is that it minimizes the risk of exposing the plaintext data key, as the master key never directly interacts with the data. This approach is particularly useful in cloud environments, where data is often distributed across multiple services, and security becomes a challenge due to the vast number of potential attack vectors.

Here's a step-by-step guide to implementing envelope encryption using AWS KMS and OpenSSL:

Generate a data key using AWS KMS:

aws kms generate-data-key --key-id 085865dc-8e72-42a9-94d6-f60cb43f637b --key-spec AES_256

This command creates a new data key, encrypted with the specified KMS key. Make sure the key-id is exists in the AWS console.

The output would be the follow format:

{
  "CiphertextBlob": "AQIDAHgp3upyUvXfYTtaE+GSFfzK5pkL/Jc37eipuMi8fqwifwGrgrzt+nBcuzgUefb0Tr7gAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMY626nlBe9k1ZWwoMAgEQgDuvQdZS/mBKVl0cF35ht7iq4WTz1ZlOW/kBARrndF7RHSxU3Kvc7+0PSpcJ28wcmeicvfxdzEs8R681kQ==",
  "Plaintext": "4iP4KiWfyMT43I6VnlmbTXB59ZaWp5U6ZOwCeOKFTOE=",
  "KeyId": "arn:aws:kms:us-west-2:392653644284:key/085865dc-8e72-42a9-94d6-f60cb43f637b"
}

CiphertextBlob and Plaintext are two properties returned when generating a data key using the AWS KMS command.

CiphertextBlob is the encrypted data key produced by the AWS KMS service using the specified master key. It is presented as a Base64-encoded string. The ciphertext blob can be used to securely store or transmit the data key during data transfer. Only users with the corresponding master key can decrypt the ciphertext blob to obtain the original data key.

Plaintext is the plaintext data key, which is the raw form of the generated random key encoded in Base64. The plaintext data key is used for encryption and decryption operations when using cryptographic algorithms. Only users with the ciphertext blob can decrypt it and use the plaintext data key for encrypting or decrypting data.

These two properties have the following use cases in AWS KMS:

  • CiphertextBlob is used for secure storage or transmission of the data key to ensure its confidentiality during transit.
  • Plaintext is used for actual encryption and decryption operations as it serves as the raw key for the cryptographic algorithm.

It is important to note that safeguarding and managing the security of these data keys is crucial to ensure the confidentiality and integrity of the data.

Save the encrypted data key to a binary file:

echo <CiphertextBlob> | base64 -d > enc_data_key.bin

Replace <CiphertextBlob> with the Base64-encoded encrypted data key returned by the aws kms generate-data-key command.

Encrypt the file using OpenSSL and the plaintext data key:

openssl enc -aes-256-cbc -pbkdf2 -in secret_file.txt -out encrypted_secret_file.txt -pass pass:<Plaintext>

Replace <Plaintext> with the plaintext data key generated in aws kms generate-data-key, and adjust the input and output file paths as needed. You may need to brew install openssl if you are using macOS. (refer)

When you need to decrypt the file, first use AWS KMS to decrypt the encrypted data key:

aws kms decrypt --ciphertext-blob fileb://enc_data_key.bin

The output would like:

{
  "KeyId": "arn:aws:kms:us-west-2:392653644284:key/085865dc-8e72-42a9-94d6-f60cb43f637b",
  "Plaintext": "4iP4KiWfyMT43I6VnlmbTXB59ZaWp5U6ZOwCeOKFTOE=",
  "EncryptionAlgorithm": "SYMMETRIC_DEFAULT"
}

Decrypt the file using OpenSSL and the decrypted plaintext data key:

openssl enc -d -aes-256-cbc -pbkdf2 -in encrypted_secret_file.txt -out decrypted_secret_file.txt -pass pass:<Plaintext>

Replace <Plaintext> with the decrypted plaintext data key obtained from aws kms decrypt, and adjust the input and output file paths as needed.

By leveraging envelope encryption and tools like AWS KMS and OpenSSL, you can significantly bolster the security of your cloud-based data. Envelope encryption provides an added layer of protection that helps to mitigate the risk of data breaches and ensures that sensitive information remains confidential. Embracing envelope encryption and other security best practices is crucial for maintaining the integrity of your data in an increasingly interconnected world. Stay tuned for more cloud security tips and guides in upcoming blog posts.