> Customer Controlled Keys’ ambition is to provide customers with the ability to control the generation, rotation, deprecation and audit trail of their own encryption keys on our SaaS platform. It’s something we’re very interested in at Koan, as we feel it takes a significant step towards the “holy grail” of enterprise grade, multi-tenant SaaS software.
This is a nice option, but remember that the durability of customer master keys is different to the durability of those generated in KMS. In the event of a regional power outage or serious failure, you will need to re-import the key material and if you've lost it, your data is lost. I don't feel this is made obvious enough and I wanted to bring that to the attention of those interested in KMS.
Congratulations, your worst case is just as bad and now you depend on dynamo and kms to be functional to perform decrypt operations. To quote the article (and many others): now you have two problems.
What do you mean? Envelope encryption is a standard security model and can use locally generated keys. They just need to be stored with the data but that can be anywhere.
The master key(s) are what KMS is used for and it's better to have AWS handle that then do it yourself considering the effort and control involved.
One could be free from a strong dependency over AWS, but this doesn't seem to be the actual case. The SPOF is Amazon:
> This concern could be mitigated by encrypting the TMK with multiple region keys, and including the appropriate CMKID with each record. Impacts of this approach would be an increase in record write latency.
Multiple regions are a nice thing to have, but it's not real redundancy. Using a key management cloud service doesn't mean someone should be trusting AWS only.
This topic is about security though, not high-availability. KMS comes with an SLA but anyone is free to use multiple KMS API's, although it just increases the amount of key material and encrypted data to manage by N providers used.
> Customer Controlled Keys’ ambition is to provide customers with the ability to control the generation, rotation, deprecation and audit trail of their own encryption keys on our SaaS platform. It’s something we’re very interested in at Koan, as we feel it takes a significant step towards the “holy grail” of enterprise grade, multi-tenant SaaS software.
This is a nice option, but remember that the durability of customer master keys is different to the durability of those generated in KMS. In the event of a regional power outage or serious failure, you will need to re-import the key material and if you've lost it, your data is lost. I don't feel this is made obvious enough and I wanted to bring that to the attention of those interested in KMS.
http://docs.aws.amazon.com/kms/latest/developerguide/importi...