An HSM (hardware security module) is a physical computing device and usually is an expensive one. Not all software projects and solutions need this kind of specialized hardware, but, in many cases, it could be a great security plus. Nowadays, a lot of sensible information is stored in databases and any external/internal security breach could lead to revealing some important enterprise information or users private data.
So, why not protecting some very special data with an extra layer of security? -Oh! I can not afford an HSM and my solution is running on (write any kind of remote virtual servers). Well, this will not stop us today.
We assume that we already have an account at AWS (Amazon Web Services).
- Go to IAM Management Console and create a new user. Remember to download the AWS credentials.
“Access Key ID” and “Secret Access Key” will be needed later.
- On the left menu choose the “Encryption Keys” option and create a new key. Choose the correct AWS region.
- Inform the Key Alias, a description and in advanced options choose KMS.
- “Key Administrative Permissions”, aka, users that can admin this key.
- “Key Usage Permissions”, the users that can use this key.
- Review the key policy (json format) and finish this step.
“ARN” information will be needed later.
So far we have created an encryption key and a user with permissions to use it. The next step will be to encrypt and decrypt some data. From an AWS EC2 instance this can be done through the command line “aws” command.
- “aws configure”. Provide the user credentials.
- “aws encrypt”. Encrypt data with the previously created key.
- “aws decrypt”. 😉
-Yes, yes, very nice, but I want to use it in my windows application.
Well let’s see how to do it.
We assume that you already have Visual Studio® installed and a C# project.
- Add AWS and AWS KMS references. Easily done via NuGet Packages.
- Create objects and variables to:
- Inform the user credentials
- Inform the key
- Call the encrypt/decrypt methods
- Get the encrypted/decrypted data.
AWS provides also API for other languages like java, ruby… With KMS is very easy to define policies to rotate keys. Centralized key Management, Logs and Audits are included.
Just some caveats to keep in mind:
- The encrypted data minimum length starts at 136 bytes (the metadata to decrypt the information is included in the response).This is by design, in that way you can rotate your key without worries about the key used to encrypt data some time ago.
- The maximum data to encrypt length is 4kb.
- To use AWS KMS you need access to the KMS endpoints. For instance: kms.eu-west-1.amazonaws.com
- Encrypt/Decrypt is very, very fast, but network latencies can slow your requests. Choose a correct AWS region.
- Encrypt and decrypt data is different in the USA from the rest of the world due to legal regulations. So be careful to use keys from regions inside/outside EEUU.
I think that the whole process is not too much complicated. Moreover, adding this extra security layer to some parts of our data is easy. Of course, it’s a matter of trust on Amazon Web Services. Do you trust them or not? And our clients? What do you think?
Written by Antoni Tovar