Sometimes I read about projects like this and just think to myself "Your scientists were so preoccupied with whether or not they could, they didn’t stop to think if they should."
Threat-model wise, this seems no different from storing the decryption secret on disk (wherever the access/secret keys are stored in this setup), with one exception: remotely-revokable keys.
That is a nice property and a pretty cool way to achieve it.
* The AWS access keys for the IAM user the tool uses, which can be rotated, revoked, recreated, etc...
* The per-disk encryption key, which can be deleted from DynamoDB
* The KMS CMK, which can be deleted, disabled, etc...
I mainly wanted to solve having to plug in a keyboard and type something in, or having a key on a USB stick and be diligent enough to take it out of the home.
Once secret data, especially potentially valuable but small data, is shared beyond one's own control, never assume it can be or has been deleted. In fact, one should probably assume the opposite. Has it been saved? Probably not, but it could easily be. Carefully evaluate your threat model, the risk might be small enough to be acceptable, but always exercise great care in saying "but it can be/has been forgotten".
My understanding is the machine needs AWS credentials to use this. So instead of managing disk encryption keys, you have to manage AWS credentials instead. Can somebody correct me if this is wrong?
If this is the case, then this is really only useful for managing multiple disks and giving some remote control.
I have a 45W 9TB fileserver at home (5x3TB disks, RAID-6), which costs me around $5/month in electricity. Plus another $10 for the Crashplan backup.
I'm using around 3TB of space on it currently, which would cost around $70/month in S3 or $12/month in Glacier (in reality I'd use a combination of S3/Glacier so my costs would be somewhere between $12 and $70/month)
Granted, the hardware costs me around $25/month amortized over 3 years but my internet speed isn't fast enough (or unlimited enough) to let cloud storage be a viable replacement of a local fileserver.
Ok, so you're at 25/mo + 5/mo + 10/mo = $40/mo for self hosted. That's almost exactly "halfway between 12 and 70/mo". Plus, S3/Glacier and a backed up hard drive (even with raid) are nowhere near the same product.
But like I said, my internet bandwidth + quota is not high enough to replace my fileserver with cloud hosting, so I'd still have that expense -- and the $25/month fileserver also acts as a security camera recorder, a media server and a few other things, so it's more than a fileserver.
And yeah, S3 is not a fileserver replacement,AWS's best solution for that would be EFS, but that'd cost me $900/month for my usage.
You can buy a 1u server with 2 processors / 24 logical cores and 32 gigs of ram off ebay for around $150.
Say what you have is 2x L5640 Xeons (pretty common, again on ebay). You'll be drawing 80-150W depending on load per cpu. Let's say it's on the upper end and you draw about 250W.
Average electric costs in the US are 12c/kwh. That means those cores will cost around $20/month.
In reality, other things draw power, but your average usage will be lower, so $20/month for 32GB of ram and 24 kinda crappy cores is about right power wise.
Look at AWS's pricing and tell me I can get anything even approaching that at such a good price point.
Came here to say this. Load up on $20 2TB SAS drives in an R510 or something like that, and you'll use a little more power, but also be beating the pants off AWS for cost/GB purposes.
Yup. My homelab currently looks like 2 x HP Z400s for grunt work, and some HP microservers for light duties. When I'm not actively labbing, a microserver does daily home network duties (Pihole, firewall etc) and sips power.
All of this was acquired for bargain prices second hand. I'll probably sell it on in a few years for at least 50% of what I paid, too.
Comparing raw hardware with one of the dozens of services offered by AWS is absurd to say at least, as you’re basically ignoring the whole platform that enhances “EC2” - of course raw hardware price will always win, but that doesn’t really mean anything as the comparison isn’t a good one.
As a base problem of "I need fast storage and CPU resources" isn't necessarily solved in the cloud either. If you're deploying hardware that needs to write large amounts of data daily and requires high CPU availability, even if AWS pricing was ok, you're still connectivity bound, which itself is an increased cost. I can also see this being valuable for MSSP's deploying assets across client networks and wanting to manage encryption keys in the cloud, vs on prem.
None of the additional Amazon cloud features are even in play with the above scenario.
Yes, I agree that it's a dumb comparison. I'm only making it to refute the parent comment which said:
> You can buy a lot of EC2 compute per month before you hit the cost of running outdated servers on your power bill.
I can't see any way of interpreting that other than as them claiming the dumb comparison I just made plays out differently than it does.
If the parent comment said something like "It will take a lot of time and money to reproduce any meaningful percentage of what EC2 offers" I'd be in agreement... but the parent comment was directly comparing a power bill with ec2 compute costs.
