undefined | Better HN

0 pointsUltraSane1y ago0 comments

Encrypting data is easy, securely managing keys is the hard part. KMS is the Key Management Service. And AWS put a lot of thought and work into it.

https://docs.aws.amazon.com/kms/latest/cryptographic-details...

0 comments

evantbyrne1y ago

KMS access is granted by either environment variables or by authorizing the instance itself. Either way, if the instance is compromised, then so is access to KMS. So unless your threat model involves preventing the government from looking at your data through some theoretical sophisticated physical attack, then your primary concerns are likely the same as running a box in another physically secure location. So the same rules of needing to design your encryption scheme to minimize blowout from a complete hostile takeover still apply.

Xylakant1y ago

An attacker gaining temporary capability to encrypt/decrypt data through a compromised instance is painful. An attacker gaining a copy of a private key is still an entirely different world of pain.

evantbyrne1y ago

Painful is an understatement. Keys for sensitive customer data should be derived from customer secrets either way. Almost nobody does that though, because it requires actual forethought. Instead they just slap secrets in KMS and pretend it's better than encrypted environment variables or other secrets services. If an attacker can read your secrets with the same level of penetration into your system, then it's all the same security wise.

Xylakant1y ago

There are many kinds of secrets that are used for purposes where they cannot be derived from customer secrets, and those still need to be secured. TLS private keys for example.

I do disagree on the second part - there’s a world of a difference whether an attacker obtains a copy of your certificates private key and can impersonate you quietly or whether they gain the capability to perform signing operations on your behalf temporarily while they maintain access to a compromised instance.

1 more reply

fireflash381y ago

It's the same pain, since the resolution is the exact same. You have to rotate.

AtlasBarfed1y ago

It's now been two years since I used KMS, but at the time it seemed little more than S3 API interface with Twitter size limitations

Fundamentally why would KMS be more secure than S3 anyway? Both ultimately have the same fundamental security requirements and do the same thing.

So the big whirlydoo is KMS has hardware keygen. im sorry, that sounds like something almost guaranteed to have nsa backdoor, or has so much nsa attention it has been compromised.

scrose1y ago

If your threat model is the NSA and you’re worried about backdoors then don’t use any cloud provider?

Maybe I’m just jaded from years doing this, but two things have never failed me for bringing me peace of mind in the infrastructure/ops world:

1. Use whatever your company has already committed to. Compare options and bring up tradeoffs when committing to a cloud-specific service(ie. AWS Lambdas) versus more generic solutions around cost, security and maintenance.

2. Use whatever feels right to you for anything else.

Preventing the NSA from cracking into your system is a fun thought exercise, but life is too short to make that the focus of all your hosting concerns

blackqueeriroh1y ago

I guess since this is Hacker News, I shouldn’t be surprised that there are a bunch of commenters who are absolutely certain they and their random colo provider will do a better job of defeating the almighty NSA than AWS.

You won’t even know when they serve your Colo provider with a warrant under gag order, and I’m certain they’ll be able to bypass your own “tamper-proof” protections.

AtlasBarfed1y ago

Soo..... you're saying that KMS hardware key generation isn't that great anyway...

so, again, why bother with KMS? What does it offer?

My point about the hardware was asking why KMS hardware key generation has any real value vs a software generated key, and then why bother with KMS and its limited secret size, and you access KMS with a policy/security user or role that can be used equally to lock down S3?

What is the value of KMS?

UltraSaneOP1y ago

If the NSA is part of your threat model then good luck. I'm not sure any single company could withstand the NSA really trying to hack them for years. The threat of possible NSA backdoors is not a reasonable argument against a cloud provider as the NSA could also have backdoors in every CPU AMD and Intel and AWS makes.

champtar1y ago

You can securely store your asymmetric key for signing, but if I remember correctly the logs are pretty useless, basically you just know the key was used to make a signature, no option to log the signature or additional metadata, which would help auditing after an account/app compromise.

j / k navigate · click thread line to collapse

0 comments

evantbyrne1y ago

Xylakant1y ago

An attacker gaining temporary capability to encrypt/decrypt data through a compromised instance is painful. An attacker gaining a copy of a private key is still an entirely different world of pain.

evantbyrne1y ago

Xylakant1y ago

There are many kinds of secrets that are used for purposes where they cannot be derived from customer secrets, and those still need to be secured. TLS private keys for example.

1 more reply

fireflash381y ago

It's the same pain, since the resolution is the exact same. You have to rotate.

AtlasBarfed1y ago

It's now been two years since I used KMS, but at the time it seemed little more than S3 API interface with Twitter size limitations

Fundamentally why would KMS be more secure than S3 anyway? Both ultimately have the same fundamental security requirements and do the same thing.

So the big whirlydoo is KMS has hardware keygen. im sorry, that sounds like something almost guaranteed to have nsa backdoor, or has so much nsa attention it has been compromised.

scrose1y ago

If your threat model is the NSA and you’re worried about backdoors then don’t use any cloud provider?

Maybe I’m just jaded from years doing this, but two things have never failed me for bringing me peace of mind in the infrastructure/ops world:

2. Use whatever feels right to you for anything else.

Preventing the NSA from cracking into your system is a fun thought exercise, but life is too short to make that the focus of all your hosting concerns

blackqueeriroh1y ago

You won’t even know when they serve your Colo provider with a warrant under gag order, and I’m certain they’ll be able to bypass your own “tamper-proof” protections.

AtlasBarfed1y ago

Soo..... you're saying that KMS hardware key generation isn't that great anyway...

so, again, why bother with KMS? What does it offer?

What is the value of KMS?

UltraSaneOP1y ago

champtar1y ago

j / k navigate · click thread line to collapse