I'm going to import my local asymmetric private key into KMS and use it in the VPC only.
It seems importing an asymmetric key is not support in AWS KMS.
https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
It is not supported on asymmetric KMS keys, HMAC KMS keys, or KMS keys in custom key stores.
But this seems available by using AWS cloud HSM
https://docs.aws.amazon.com/cloudhsm/latest/userguide/key_mgmt_util-importPrivateKey.html
The importPrivateKey command in key_mgmt_util imports an asymmetric private key into an HSM.
So, My question is, How can I use this imported key in KMS?
I found this https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html
You cannot create asymmetric KMS keys, HMAC KMS keys or KMS keys with imported key material in a custom key store.
then, I guess, I can upload a private key to cloud HSM, but it won't be able to use in KMS. right? I'm so confused with those articles. isn't there a way to use an asymmetric key of cloud HSM in KMS?
Related
So, I'm building an application for MTLS authentication and generate X509 certificates using AWS ACM PCA and bundle them together with a private key in PKCS#12 format.
At the moment I generate key pairs programatically in Java which are never stored.
But since I'm not a security expert I thought maybe it's better to use AWS KMS for creating key pairs.
So, it seem like what I need is a CMK which can generate data key pairs which are stored in KMS.
If they're stored in KMS and I can fetch the private key at any time, how is that more secure than not storing it at all?
Or is the purpose of KMS only to store keys securely?
If you have a use for the encrypted private key that kms.generateDataKeyPair will provide, then it would be of use. It would also be a nice way to ensure that your keys are being generated securely (secure randomness, etc).
It’s important to note, KMS will not store the generated key pair. The idea is that you would store the plaintext public key, and the encrypted private key, and call kms.decrypt to turn the encrypted private key into plaintext whenever you need it.
I have a situation where I have been supplied with a public key. I can encrypt a file using command line gpg/pgp. However I want to use ADF to save the file to a blob store in it's encrypted form using the customer-managed public key. I cannot do it by importing the private key pair into a key vault and using that key vault to encrypt the storage container - as I don't have the private key pair (it is not visible within the system which receives the encrypted file).
Is there a way to do this in ADF? I have seen one or two articles which use python scripts to decrypt a file in ADF, but not one to encrypt a file. Thanks for any help.
Encrypt Azure Data Factory with customer-managed keys feature is to encrypt the data factory environment i.e., to encrypt data that datafactory storing in the system. Unfortunately there is no out of box feature in Azure Data factory to perform encryption/decryption of files.
Though you can encrypt the data in Storage account and also in ADF separately using customer-managed public key.
I have repro the same and it is working fine for me.
Go the storage account and click on Encryption on the left side of the panel.
Select the key vault and the key which you want to encrypt the data.
In ADF also, go to the Manager option on the left panel and click on Customer managed key and add Key URL to encrypt the ADF environment and data associated with it.
Note: A customer-managed key can only be configured on an empty data Factory. The data factory can't contain any resources such as linked services, pipelines and data flows. It is recommended to enable customer-managed key right after factory creation.
I have created CMK in ADF. I dont know how to consume CMK in ADF, either pipelines or dataflow.
When tried to add the pipeline, I wont get option to select the CMK. Any information is helpful.
Let's review the entire process.
First we can use to Azure key vault generate a RSA 2048 key.
Add the key to the Azure Data Factory.
By default, data is encrypted with a randomly generated Microsoft-managed key. After we generate a RSA 2048 key via key vault, the data will be encrypted by Customer-managed keys(CMK).
According to this document, we can know Customer-managed keys(CMK) is a type of Server-side encryption. It gives us control over the keys, including Bring Your Own Keys (BYOK) support, or allows you to generate new ones.
Similar to transparent Data Encryption with customer managed keys in Azure SQL Database.
So we can conclude that Customer-managed keys(CMK) is transparent to users.This encryption only acts on the network layer or the transport layer. In other words, there is no different to us.
How do I get the KMS key information from the ciphertext blob?
Taking the example from the aws website
AWS KMS doc
aws kms encrypt --key-id 1234abcd-12ab-34cd-56ef-1234567890ab --plaintext fileb://ExamplePlaintextFile --output text --query CiphertextBlob | base64 --decode > ExampleEncryptedFile
Is there any way to look at ExampleEncryptedFile and figure out which KMS key was used to encrypt it?
I ask because I'm having a problem reading something I encrypted and I want to verify it was encrypted with the key I thought it was.
Yes, you can get the key id by using aws kms decrypt (pass it the ciphertext and region) which does not require a key id to perform decryption. The information about the key that was used to encrypt is part of the ciphertext, therefore, KMS will be able to get this information and return you the "Plaintext" and the "KeyId".
I'm afraid you won't be able to do it. The encrypt API uses a customer master key (CMK) to encrypt the data, and that key never leaves AWS. Unless you saved the key ID somewhere (which is not a great practice), you won't be able to derive it from the encrypted file.
A couple things that can help, in case you have administrative access to the AWS console:
literally try calling aws kms decrypt using the master keys you have (assuming they are not many and the original one has not been deleted);
looking at your CloudTrail logs, you might be able to figure out which key was used if you have a rough idea of the time when it was used (assuming you have CloudTrail enabled on your KMS operations).
The encrypted blob contains the key information required to decrypt it. There is no way to figure out what key an encrypted blob was encrypted with as its part of the encrypted value.
If you’re you’re unsure which key you used, you will have to either roll the value and encrypt it again or start attempting to decrypt with permissions that only have access to one key at a time..
I am trying to create a JWT for the authentication of Googles app engine
The main issue is that I need to create a signer with RSA using SHA-256 hashing algorithm.
The only library I found which supports this is Nimbus but their signing always uses the already created private key which is of type RSAPrivateKey, I need to be able to sign with the private key String I obtained from google.
How can I transform the String representation of my private key into a RSAPrivateKey object?