2

I am expecting very high traffic on one of my services, and I would like to add encryption for a new feature. I know KMS makes an API call each encrypt/decrypt call, but is it possible to use KMS for key management and cache the keys in memory to encrypt/decrypt locally without additional API calls?

ag93
  • 343
  • 4
  • 17
irregular
  • 1,437
  • 3
  • 20
  • 39

1 Answers1

5

The KMS key never leaves its hardware. That's it.

By default the KMS is intended for the envelope encryption. There is a data encryption key and KMS is used to encrypt the data key.

You can call the KMS to generate a random data key along the its encrypted value and then use the data-key to encrypt the data itself.

If you are encrypting for the same system (data are encrypted for the same target ), you may reuse the same data key and use a unique IV to encrypt multiple messages.

Edit: I'd suggest using the AWS Encryption SDK a bit helping the developers to do it properly

gusto2
  • 11,210
  • 2
  • 17
  • 36
  • Good answer, but I think a little extra caution about the mode selected and proper generation of an IV/nonce is warranted. I see so, so many posts where the lack of understanding there is clearly evident. – erickson Oct 22 '21 at 21:28
  • @erickson true, plus not mentioning necessity of the MAC. Full crypto course and tutorial is out of scope of the answer, regardless many questions seems to lack the basic understanding – gusto2 Oct 22 '21 at 21:33
  • Appreciate the answer so it sounds like KMS might not be the right tool for the job because an API is needed each time for decryption / encryption. Or maybe having a data key for encryption that we encrypt and store on secrets manager then we then decrypt on the app's startup to use through the life cycle of the app. – irregular Oct 25 '21 at 17:17
  • @irregular you may cache the data key in case all the encryptions are for the same receiver, e. g. when you decrypt in the same applicaton as encrypting. We still assume it is properly done (unique, random IV, authenticated encryption,..) – gusto2 Oct 25 '21 at 18:04
  • Could you go a bit deeper into what you mean by authenticated encryption? – irregular Oct 26 '21 at 17:03
  • Yes so the encryptions are all for the same receiver. By cache the data key, do you mean have KMS generate a data key, encrypt the data key, store the encrypted data key in a db or secrets manager for example, then use that for all encryption decryption going forward? – irregular Oct 26 '21 at 17:06