Encrypting Data At Rest

Encrypting Data at Rest

Why Protect Data at Rest?

Security Fundamental

Protection Benefits

Protecting data at rest provides critical security advantages:

• Confidentiality and Integrity: Ensures information remains secure and unmodified • Additional Protection Layer: Extra security if system becomes compromised • Compliance Requirements: May be required for business or regulatory compliance • Attack Mitigation: Makes data compromise much more difficult even with endpoint access

CIA Triad Application

The Confidentiality, Integrity, and Availability (CIA) triad guides data security implementation:

Confidentiality: Keeps personal data safe from unauthorized access
Integrity: Ensures data isn’t modified throughout its lifecycle
Availability: Ensures data stays accessible when needed for authorized users

Data Encryption Fundamentals

What is Data Encryption?

Encryption is the process of using a code (cipher) to convert readable data into unreadable data:

• Cipher: Contains algorithms to encrypt and decrypt data • Key: Series of numbers and letters used by algorithm for encryption/decryption • Plaintext: Original readable data • Ciphertext: Encrypted, unreadable data

Example: “Hello World!” might become “1c28df2b595b4e30b7b07500963dc7c” when encrypted.

Encryption Algorithm Requirements

Strong encryption algorithms rely on mathematical properties to: • Produce ciphertext that cannot be decrypted without the key • Resist decryption using any practically available computing power • Make key protection and management critical to security

Encryption Types

Symmetric Encryption

Characteristics

Uses same key to encrypt and decrypt data
Key is shared secret between sender and receiver
Typically faster and efficient for large data amounts
Widely used and generally accepted as secure

Best Practices

Change keys frequently to prevent unauthorized access
Ideal for data not leaving organization boundaries
Used in TLS protocol for data exchange

When to Use Symmetric Encryption

• Speed, cost, and lower computational overhead are priorities • Encrypting large amounts of data • Encrypted data isn’t leaving organization network boundaries

Asymmetric Encryption

Uses key pair approach with distinct encryption and decryption keys:

• Public Key: Used for encryption, can be shared openly • Private Key: Used for decryption, must be highly restricted • Security: Generally more secure than symmetric encryption but slower • Complexity: More complex with longer key lengths and calculations

When to Use Asymmetric Encryption

• Sharing data outside the organization • Regulations prohibit sharing symmetric keys • Non-repudiation is required (prevents sender from denying message) • Strict segregation of encryption key access based on organizational roles

Envelope Encryption

Practice of encrypting the key used to encrypt your data through multiple layers:

Data Encryption: Encrypt item with data key
Key Encryption: Encrypt data key with key-encryption key
Layer Addition: Continue wrapping keys to desired number of layers
Storage: Store encryption key with encrypted item

Analogy: Like locking valuables in a safe, then locking the safe key in a safety deposit box, and locking that key away as well.

Process: Application encrypts data before sending to AWS

Key Management: Create and manage your own encryption keys

Control: Keys and algorithms known only to you

Data State: Data stored in encrypted form throughout

Decryption: Data decrypted after receiving from AWS

Client-Side Encryption Example

Data encryption occurs in corporate data center before transmission: • Unencrypted data encrypted locally • Amazon S3 receives encrypted data • S3 doesn’t participate in encryption/decryption process • Keys stored in AWS KMS or within application

Server-Side Encryption Example

Encryption happens at AWS service endpoint: • Unencrypted data uploaded over HTTPS • Amazon S3 encrypts data before storage • Service endpoint handles encryption and key management • Data decrypted transparently when accessed

AWS Key Management Service (AWS KMS)

Managed Service

Core Capabilities

AWS KMS provides comprehensive cryptographic key management:

• Key Creation: Create and control encryption keys • Hardware Security: Uses FIPS 140-2 validated HSMs to protect keys • Service Integration: Integrates with other AWS services • Usage Policies: Set policies determining which users can use keys • Centralized Management: Keys never leave AWS KMS • Audit Logging: All operations logged in AWS CloudTrail

AWS KMS Features

Key Types

• Customer Managed: KMS keys you create, own, and manage • KMS Managed: Created, managed, and used by AWS services on your behalf • Data Key (Symmetric): Symmetric keys for encrypting data outside AWS KMS • Data Key Pair (Asymmetric): Mathematically related public/private key pair

Cryptographic Operations

• Encrypt: Encrypts plaintext up to 4,096 bytes using KMS key • Decrypt: Decrypts ciphertext encrypted by KMS key • GenerateDataKey: Returns unique symmetric data key for external use • GenerateDataKeyPair: Returns unique asymmetric data key pair for external use

AWS Service Integration

Amazon S3 Integration

• Server-Side Encryption: S3 uses KMS keys to encrypt objects • Key Security: Encryption keys never leave AWS KMS unencrypted • Permission Control: Set permissions on KMS keys and audit operations • Envelope Encryption: Uses envelope encryption to protect data keys

Amazon EBS Integration

• Volume Encryption: Encrypted volumes protect data at rest, disk I/O, and snapshots • Transparent Operation: Encryption/decryption handled transparently • Instance Support: Supported on all EBS volume types with compatible EC2 instances • Automatic Inheritance: Snapshots and volumes from encrypted sources automatically encrypted

AWS KMS Encryption Examples

Amazon S3 Encryption Process (SSE-KMS)

Upload Request: User requests to upload encrypted file to S3 bucket
Data Key Request: Amazon S3 requests data key from AWS KMS
Key Generation: AWS KMS generates plaintext data key and encrypts it with customer managed key
Key Delivery: AWS KMS sends both plaintext and encrypted data keys to S3
Object Encryption: S3 encrypts object with plaintext key, stores object, deletes plaintext key

Amazon S3 Decryption Process (SSE-KMS)

Access Request: User requests to open encrypted object
Decrypt Request: S3 sends encrypted data key to AWS KMS
Key Decryption: AWS KMS decrypts data key using customer managed key (never leaves KMS)
Plaintext Return: AWS KMS sends plaintext data key back to S3
Object Decryption: S3 decrypts object ciphertext, allows access, deletes plaintext data key

Amazon EBS Encryption Process

Amazon EBS encryption provides straightforward solution for EBS resources associated with EC2 instances:

• Encryption Standard: Uses AES-256-XTS requiring two 256-bit keys (effectively 512-bit key) • Key Management: Data key encrypted under KMS key in your account • Grant Requirement: Amazon EBS must have grant to customer managed key for data key operations

EBS Encryption Steps

Data Key Acquisition: Amazon EBS obtains encrypted data key under customer managed key through AWS KMS
Key Storage: Encrypted key stored with encrypted data
Key Retrieval: EC2 instance servers retrieve encrypted data key from storage
Decryption Call: TLS call made to AWS KMS to decrypt the encrypted data key
HSM Processing: AWS KMS identifies KMS key, makes internal HSM request to decrypt data key
Memory Storage: Decrypted data key stored in memory for encrypting/decrypting EBS volume data
Key Retention: Amazon EBS retains encrypted data key for availability if memory key becomes unavailable

Advanced Encryption Standard (AES): Algorithm established by US National Institute of Standards and Technology (NIST) using symmetric encryption.

Implementation Best Practices

Choosing Encryption Method

Consider these factors when selecting encryption approach:

• Data Sensitivity: Higher sensitivity may require client-side encryption • Performance Requirements: Symmetric encryption faster for large datasets • Compliance Needs: Regulations may dictate specific encryption methods • Key Management: Evaluate internal vs AWS-managed key capabilities • Integration Requirements: Consider existing AWS service integrations

Key Management Strategy

• Rotation: Implement regular key rotation policies • Access Control: Limit key access based on principle of least privilege • Auditing: Monitor key usage through CloudTrail logging • Backup: Ensure proper key backup and recovery procedures • Documentation: Maintain clear key management documentation

Security Considerations

• Defense in Depth: Use encryption as part of comprehensive security strategy • Key Separation: Separate data encryption keys from key encryption keys • Access Patterns: Monitor unusual key access patterns • Compliance Alignment: Ensure encryption meets regulatory requirements

Summary

Encrypting data at rest is essential for maintaining data confidentiality and integrity in cloud environments. AWS provides multiple encryption options from client-side to server-side approaches, with AWS KMS serving as the central key management service. Understanding the differences between symmetric and asymmetric encryption, along with envelope encryption patterns, enables organizations to implement appropriate data protection strategies. The seamless integration between AWS KMS and services like Amazon S3 and Amazon EBS makes it easier to implement robust encryption without sacrificing performance or usability.