1 of 18

Cloud based Key Management Services

By Louis Chu

2 of 18

Agenda

  • Cryptography concepts
  • AWS encryption SDK
  • AWS KMS
  • Google Cloud KMS
  • Azure key vault

3 of 18

Cryptography concepts

  • Hash
  • Symmetric VS Asymmetric
  • Encryption of data at rest
  • Symmetric Mode
    • AES-GCM
  • Key Derivation Functions

4 of 18

Key Management

  • Key rotation
  • Harder to obtain the key
  • Track and log key usage
  • And more!

5 of 18

Envelope encryption

6 of 18

AWS Encryption SDK

  • Concepts
    • Keyring
  • Modules
    • Encrypt
    • Decrypt
    • Hkdf
    • Material management
    • Material cache

7 of 18

KMS Key hierarchy

8 of 18

AWS KMS key policy

9 of 18

AWS KMS auditing & Amazon S3 data trail

10 of 18

AWS KMS Use case – Kinesis Streams records

11 of 18

AWS KMS other features

  • Digital Signature
  • Asymmetric encryption
  • Multi-Region key

12 of 18

Azure Key Vault Overview

  • Centralization and protection
    • Application secrets
    • Encryption Keys
    • Certificates
  • Vault backed by HSM (Hardware Security Modules)
  • HSM Pools

13 of 18

Azure Key Vault – Application Secrets

14 of 18

Azure Key Vault Concepts

  • Tenant
  • Security Principal
  • Resource
  • Resource Group
  • Azure Active Directory
  • Managed Identities
  • Rest API reference: https://learn.microsoft.com/en-us/rest/api/keyvault/

15 of 18

Azure Key Value Panel

16 of 18

Google Cloud KMS Overview

  • Centrally manage encryption keys
  • Deliver hardware key security with HSM
  • Provide support for external keys with EKM

17 of 18

Comparison

18 of 18

Ref