Data Encryption

  • Encryption at rest available in EBS, S3, Glacier, RDS (Oracle and SQL Server) and Redshift.
  • Key management through AWS KMS – you can choose whether to control the keys or let AWS.
  • Server side encryption of message queues in SQS.
  • Dedicated hardware-based cryptographic key storage using AWS CloudHSM, allowing you to satisfy compliance requirements.
  • APIs to integrate AWS security into any applications you create.

Server-Side Encryption

  • It is data encryption at rest
  • Like, Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it for you when you access it.
  • You need to authenticate your request and you have access permissions

3 mutually exclusive options depending on how you choose to manage the encryption keys:

  • Use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) – Each object is encrypted with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.
  • Use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) – Similar to SSE-S3, but with some additional benefits along with some additional charges for using this service. There are separate permissions for the use of an envelope key (that is, a key that protects your data’s encryption key) that provides added protection against unauthorized access of your objects in Amazon S3. SSE-KMS also provides you with an audit trail of when your key was used and by whom. Additionally, you have the option to create and manage encryption keys yourself, or use a default key that is unique to you, the service you’re using, and the Region you’re working in.
  • Use Server-Side Encryption with Customer-Provided Keys (SSE-C) – You manage the encryption keys and Amazon S3 manages the encryption, as it writes to disks, and decryption, when you access your objects.

Client-side encryption is the act of encrypting data before sending it to Amazon S3. To enable client-side encryption, you have the following options:

  • Use an AWS KMS-managed customer master key.
  • Use a client-side master key.

The following AWS SDKs support client-side encryption:

  • AWS SDK for .NET
  • AWS SDK for Go
  • AWS SDK for Java
  • AWS SDK for PHP
  • AWS SDK for Ruby
  • AWS SDK for C++

Sample Implementation

In above diagram:

  1. The administrator encrypts a secret password by using KMS. The encrypted password is stored in a file.
  2. The administrator puts the file containing the encrypted password in an S3 bucket.
  3. At instance boot time, the instance copies the encrypted file to an internal disk.
  4. The EC2 instance then decrypts the file using KMS and retrieves the plaintext password. The password is used to configure the Linux encrypted file system with LUKS. All data written to the encrypted file system is encrypted by using an AES-256 encryption algorithm when stored on disk.
Menu