I know I'm missing something here but I'm struggling to understand the customer master key concept in AWS KMS. Below is the sample code.
Code to create master key:
`CreateKeyRequest req = new CreateKeyRequest();
CreateKeyResult result = kmsClient.createKey(req);
String customerMasterKey = result.getKeyMetadata().getKeyId();`
Code to create data key using customer master key:
`GenerateDataKeyRequest dataKeyRequest = new GenerateDataKeyRequest();
dataKeyRequest.setKeyId(customerMasterKey);
dataKeyRequest.setKeySpec("AES_128");
GenerateDataKeyResult dataKeyResult = kmsClient.generateDataKey(dataKeyRequest);`
Now as per my understanding, I need to use the master key to decrypt the encrypted data key every time I want to encrypt/decrypt some thing. Which means I need to store these two keys in some location. So if someone else can get access to these two keys, can they be able to decrypt my data using AWS encryption SDK?
The master key never leaves AWS and is only accessible by someone with the appropriate access to your account and the key. If they have access to your account and with the appropriate rights to use the key then they can use the master key to encrypt/decrypt your data key. Remember the master key ID is not the actual key, therefore, being in possession of the key ID is not useful outside of the AWS.
You do not store both keys, the master key ID will always be viewable using the console, CLI or SDK(I assume since I have not used it).
The data key is not managed by the KMS service, therefore, you'll have to store it(after encrypting it with the master key) along with the encrypted data.
The answer to your question is... if it happens that an unauthorised individual has a copy of your master key ID and your encrypted data key, there's no way they can use that master key unless they also have access to your AWS user credentials with the appropriate rights to use that master key.
Related
So, I'm building an application for MTLS authentication and generate X509 certificates using AWS ACM PCA and bundle them together with a private key in PKCS#12 format.
At the moment I generate key pairs programatically in Java which are never stored.
But since I'm not a security expert I thought maybe it's better to use AWS KMS for creating key pairs.
So, it seem like what I need is a CMK which can generate data key pairs which are stored in KMS.
If they're stored in KMS and I can fetch the private key at any time, how is that more secure than not storing it at all?
Or is the purpose of KMS only to store keys securely?
If you have a use for the encrypted private key that kms.generateDataKeyPair will provide, then it would be of use. It would also be a nice way to ensure that your keys are being generated securely (secure randomness, etc).
It’s important to note, KMS will not store the generated key pair. The idea is that you would store the plaintext public key, and the encrypted private key, and call kms.decrypt to turn the encrypted private key into plaintext whenever you need it.
I have a situation where I have been supplied with a public key. I can encrypt a file using command line gpg/pgp. However I want to use ADF to save the file to a blob store in it's encrypted form using the customer-managed public key. I cannot do it by importing the private key pair into a key vault and using that key vault to encrypt the storage container - as I don't have the private key pair (it is not visible within the system which receives the encrypted file).
Is there a way to do this in ADF? I have seen one or two articles which use python scripts to decrypt a file in ADF, but not one to encrypt a file. Thanks for any help.
Encrypt Azure Data Factory with customer-managed keys feature is to encrypt the data factory environment i.e., to encrypt data that datafactory storing in the system. Unfortunately there is no out of box feature in Azure Data factory to perform encryption/decryption of files.
Though you can encrypt the data in Storage account and also in ADF separately using customer-managed public key.
I have repro the same and it is working fine for me.
Go the storage account and click on Encryption on the left side of the panel.
Select the key vault and the key which you want to encrypt the data.
In ADF also, go to the Manager option on the left panel and click on Customer managed key and add Key URL to encrypt the ADF environment and data associated with it.
Note: A customer-managed key can only be configured on an empty data Factory. The data factory can't contain any resources such as linked services, pipelines and data flows. It is recommended to enable customer-managed key right after factory creation.
We use vault to store our credentials, I've successfully grabbed S3 Access key ID and Secret Access key using the vault API, and used channelMap.put to create mappings: ${access_key} and ${secret_key}.
aws_s3_file_writer
However when I use these in the S3 file writer I get the error:
"The AWS Access Key Id you provided does not exist in our records."
I know the Access Key Id is valid, it works if I plug it in directly in the S3 file writer destination.
I'd appreciate any help on this. thank you.
UPDATE: I had to convert the results to a string, that fixed it.
You can try using the variable to a higher map. You can use globalChannelMap, globalMap or configurationMap. I would use this last one since it can store password not in plain text mode. You are currently using a channelMap, it scope is only applied to the current message while it is traveling through the channel.
You can check more about variable maps and their scopes in Mirth User guide, Section Variable Maps, page 393. I think that part of the manual is really important to understand.
See my comment, it was a race condition between Vault, Mirth and AWS.
I have created CMK in ADF. I dont know how to consume CMK in ADF, either pipelines or dataflow.
When tried to add the pipeline, I wont get option to select the CMK. Any information is helpful.
Let's review the entire process.
First we can use to Azure key vault generate a RSA 2048 key.
Add the key to the Azure Data Factory.
By default, data is encrypted with a randomly generated Microsoft-managed key. After we generate a RSA 2048 key via key vault, the data will be encrypted by Customer-managed keys(CMK).
According to this document, we can know Customer-managed keys(CMK) is a type of Server-side encryption. It gives us control over the keys, including Bring Your Own Keys (BYOK) support, or allows you to generate new ones.
Similar to transparent Data Encryption with customer managed keys in Azure SQL Database.
So we can conclude that Customer-managed keys(CMK) is transparent to users.This encryption only acts on the network layer or the transport layer. In other words, there is no different to us.
How do I get the KMS key information from the ciphertext blob?
Taking the example from the aws website
AWS KMS doc
aws kms encrypt --key-id 1234abcd-12ab-34cd-56ef-1234567890ab --plaintext fileb://ExamplePlaintextFile --output text --query CiphertextBlob | base64 --decode > ExampleEncryptedFile
Is there any way to look at ExampleEncryptedFile and figure out which KMS key was used to encrypt it?
I ask because I'm having a problem reading something I encrypted and I want to verify it was encrypted with the key I thought it was.
Yes, you can get the key id by using aws kms decrypt (pass it the ciphertext and region) which does not require a key id to perform decryption. The information about the key that was used to encrypt is part of the ciphertext, therefore, KMS will be able to get this information and return you the "Plaintext" and the "KeyId".
I'm afraid you won't be able to do it. The encrypt API uses a customer master key (CMK) to encrypt the data, and that key never leaves AWS. Unless you saved the key ID somewhere (which is not a great practice), you won't be able to derive it from the encrypted file.
A couple things that can help, in case you have administrative access to the AWS console:
literally try calling aws kms decrypt using the master keys you have (assuming they are not many and the original one has not been deleted);
looking at your CloudTrail logs, you might be able to figure out which key was used if you have a rough idea of the time when it was used (assuming you have CloudTrail enabled on your KMS operations).
The encrypted blob contains the key information required to decrypt it. There is no way to figure out what key an encrypted blob was encrypted with as its part of the encrypted value.
If you’re you’re unsure which key you used, you will have to either roll the value and encrypt it again or start attempting to decrypt with permissions that only have access to one key at a time..