
Securing Customer Data with KMS and Envelope Encryption in Node.js - arendn
https://blog.koan.co/securing-customer-data-with-kms-and-envelope-encryption-in-node-js-b61983ddaa98
======
gtsteve
In the article the author says,

> Customer Controlled Keys’ ambition is to provide customers with the ability
> to control the generation, rotation, deprecation and audit trail of their
> own encryption keys on our SaaS platform. It’s something we’re very
> interested in at Koan, as we feel it takes a significant step towards the
> “holy grail” of enterprise grade, multi-tenant SaaS software.

This is a nice option, but remember that the durability of customer master
keys is different to the durability of those generated in KMS. In the event of
a regional power outage or serious failure, you will need to re-import the key
material and if you've lost it, your data is lost. I don't feel this is made
obvious enough and I wanted to bring that to the attention of those interested
in KMS.

[http://docs.aws.amazon.com/kms/latest/developerguide/importi...](http://docs.aws.amazon.com/kms/latest/developerguide/importing-
keys.html#importing-keys-considerations)

~~~
arendn
I try to make mention of single region dependency under the DR section and
offer a potential solution.

------
haimez
Congratulations, your worst case is just as bad and now you depend on dynamo
and kms to be functional to perform decrypt operations. To quote the article
(and many others): now you have two problems.

~~~
manigandham
What do you mean? Envelope encryption is a standard security model and can use
locally generated keys. They just need to be stored with the data but that can
be anywhere.

The master key(s) are what KMS is used for and it's better to have AWS handle
that then do it yourself considering the effort and control involved.

~~~
tgragnato
One could be free from a strong dependency over AWS, but this doesn't seem to
be the actual case. The SPOF is Amazon:

> This concern could be mitigated by encrypting the TMK with multiple region
> keys, and including the appropriate CMKID with each record. Impacts of this
> approach would be an increase in record write latency.

Multiple regions are a nice thing to have, but it's not real redundancy. Using
a key management cloud service doesn't mean someone should be trusting AWS
only.

~~~
manigandham
This topic is about security though, not high-availability. KMS comes with an
SLA but anyone is free to use multiple KMS API's, although it just increases
the amount of key material and encrypted data to manage by N providers used.

