Can anyone define the process flow for data encrypt and decrypt for me running a local HSM in the data centre connected via IPSEC tunnel to AWS. Using our Local HSM for these actions. What is the process flow for encrypting and decrypting objects, data? The data is obviously not sent down the line to the HSM, but what exactly is? Planning on keeping the CMKs on prem in the local HSM.
Asked
Active
Viewed 1,042 times
1 Answers
0
The data is obviously not sent down the line to the HSM, but what exactly is?
Encrypting all data through a local HSM or even KSM directly woudn't be very efficient. So what KMS or your local HSM should encrypt is the encryption key.
In KMS or your local HSM you can generate a master service/purpose key.
You can encrypt data using a random encryption key and then encrypt the data encryption key using the KMS / HSM (with the service key). Just store the master key id, encrypted data key and IV next to the encrypted content.
gusto2
- 11,210
- 2
- 17
- 36