As I understand it: Microsoft's KMS is used to temporarily enable Windows \ Office, whereas Amazon's KMS is for cryptographic key management.
Are both KMS services fundamentally the same: if so in what sense?
Is there some unifying explanation for model for Key Management that explains the two KMS versions?
They are entirely different. Where Microsoft KMS provides activation service (as you noted), AWS KMS is an encryption service to securely store key materials and encrypt/decrypt data.
Related
We plan to use client-side field-level encryption for some confidential fields in our product. To generate and manage the Customer Master key, we want to use Hashicorp Vault. KMS providers currently supported are only: Amazon Web Services KMS and Locally Managed Keyfile.
To work with Hashicorp Vault, it seems, we need to choose Locally Managed Keyfile as the KMS provider. This means that the Master key will be fetched from Vault in memory and then used in the code to encrypt/decrypt the DEK (Data Encryption Key). Ideally, the decryption of DEK should happen in the vault itself as a best practice, and master key should not be brought out of Vault.
Is there a way to achieve this? There are numerous articles around encryption at rest and integration with Hashicorp vault, but none of them is for CSFLE. Need help if anyone is using CSFLE.
Thanks
I'm using open ssl to generate an asymmetric key locally in my machine. I want to store this key in AWS KMS. Is there a possibility to achieve that?
From Importing key material in AWS Key Management Service (AWS KMS) - AWS Key Management Service:
Imported key material is supported only for symmetric CMKs in AWS KMS key stores. It is not supported on asymmetric CMKs or CMKs in custom key stores.
So, it seems that you cannot import an asymmetric key into AWS KMS.
I am using EC2 Instance profile credentials for allowing the AWS EC2 instance to access other AWS services.
Recently, I implemented MongoDB Client-Side Field-Level Encryption for which the AWS KMS has been used as KMS Providers. The MongoDB Documentation for CSFLE mentions that the KMS Provider should have secret key and access key that maps to an IAM User.
This way I will have to create another IAM User and then maintain those credentials separately. A simpler way (and more secure) would have been to use the DefaultCredentialsProvider from software.amazon.awssdk:auth and that could have used the credentials from the instance profile that could have given access to the KMS. But this does not work for me and MongoClient fails as KMS rejects the security token used.
Is there any reason behind not allowing this way of accessing KMS?
As all projects, initial implementation of CSFLE had a scope. This scope did not include the ability to use instance roles for credential identification.
I suggest you submit your request to https://feedback.mongodb.com/ for consideration.
Is it possible to use Google KMS with Mongodb server on Ubuntu 18.04 (GCP) to encrypt data at rest? What are the requirements? How is it done? I want to use mongodb encryption feature for additional security.
The documentation mentions KMIP protocol and does Google provide such service?
ps: I have installed Mongodb enterprise edition on my server along with other services such as backend.
From your comment and assuming your questions is on regards of how to use the KMS integration with MongoDB:
For a start, it is possible to use KMS with MongoDB. Google even provides an out-of-the-box solution of MongoDB Atlas to integrate with KMS via Market Place.
However, this integration is not available on Atlas M0, M2 and M5.
You can follow the same link for details on how to use the integration. If you have any specific question on this integration, please edit your question to include it.
Data on GCP is always encrypted at rest. You can optionally use your own KMS keys to encrypt the disks.
gcloud compute disks create encrypted-disk \
--kms-key projects/[KMS_PROJECT_ID]/locations/[REGION]/keyRings/[KEY_RING]/cryptoKeys/[KEY]
I cannot find any information about how the filesystem storage backend encrypts data at rest in the Hashicorp Vault Community Edition. Does anyone know the details of the encryption cipher(s), hashing algorithms, etc.? Is it configurable or is there a way to inspect the ciphers on an existing filesystem vault?
Quoting from the official documentation:
Vault uses a security barrier for all requests made to the backend. The security barrier automatically encrypts all data leaving Vault using a 256-bit Advanced Encryption Standard (AES) cipher in the Galois Counter Mode (GCM) with 96-bit nonces.
So the cipher used for storing secrets is an AES 256 with GMC. I think that this is an architecturale choise that cannot be changed.