How to encrypt data in AWS RDS with AWS KMS on the column level?

Question

I found that AWS RDS allows encrypting DB resources with AWS KMS. Because it is done inside the AWS infrastructure the encryption key can be easily rotated automatically. It is cool, but it is only encryption-at-rest.

I would additionally like to have encrypted some particular columns in the database. For example SSN. I would like to store them encrypted and decrypt them to display inside my application. Moreover, I would like to have an individual key for every user.

The main problem which I observed will be the rotation of the key. As I'm thinking to rotate the key for one user I would like to do this inside my application:

• get a current encryption key from KMS
• decrypt all the data from RDS encrypted with the current key
• generate a new encryption key
• encrypt everything again and store data in RDS
• store the new key in the KMS

The main problem here would be to keep everything in a "transaction" - to "commit" if everything was fine and to "rollback" everything if anything went wrong.

I wonder if such keys rotation for the encryption at the columns level could be done inside the AWS infrastructure automatically. Do you have any ideas about that? Maybe you know any other, better approach for such a situation?

Answer 1

What problem are you solving by having individual keys per user? The KMS paradigm is to use policy to grant access to a Customer Master Key (CMK). As Mark pointed out above, there is a limit on the number of keys.

Have a look at this walkthrough

There is a section at the bottom about Key rotation strategies that might help:

"A recommended approach to manual key rotation is to use key aliases within AWS KMS. This allows users to always select the same key alias when configuring databases, while the key administrator rotates the underlying CMK. By keeping the old CMK, you allow any applications that currently use this key to still decrypt any data that was encrypted by it, as long as the CMK key policy still gives the AWSServiceRoleForRDS role permission as a Key User. It also allows for any new data to be encrypted with the new CMK."

Answer 2

I would additionally like to have encrypted some particular columns in the database.

Then I assume you will use a form of key wrapping ( data keys )

The main problem which I observed will be the rotation of the key
..
encrypt everything again and store data in RDS
store the new key in the KMS

The purpose of the key rotation is limit amount of data encrypted by a single key, not to re-encrypt the whole encrypted content.

Suggestion:

• as already linked - encrypt your data using a random (per row?) data key.
• encrypt the data key using the user-specific key.
• encrypt the user-key with a KMS-key

Key Rotation (KMS) should be transparent for you with no action to do.

If you wish to manually rotate the user keys, you may, IMHO it is not so critical - the user keys are used to encrypt the data keys - relatively short data with high entropy.

IMHO the action by rotation taken should be creating a new key and preserving the old one for decryption purposes, not to re-encrypt all the database records

Answer 3

Are you using something like AWS Cognito to give each user temporary IAM permissions when they log in? Otherwise, I don't see the point of giving each user a separate KMS key, since you would be giving a single entity (your server) access to all the keys. Also note that there is a limit of 10,000 KMS keys in an AWS account. That's quite a bit, but if you have a website where anybody can sign up you might run up against that limit if you are assigning each user a key.

As for handling key rotation automatically, since you have to write the custom code to encrypt individual column values in your database, you will also have to write the code to perform all the steps of the key rotation process. You could create that as an AWS Lambda function and configure it to run "automatically", but it isn't something Amazon gives you out of the box without any custom code.