Hacker News new | comments | ask | show | jobs | submit login

"KMS provides access to master encryption keys,... but doesn’t provide direct access to the master key itself, so it can’t be stolen."

Doesn't Amazon KMS have access to the master key? And therefore, it can be stolen from them?


"AWS KMS is designed so that no one has access to your master keys."

"...never storing plaintext master keys on disk, not persisting them in memory, and limiting which systems can connect to the device..."

Translation: We promise to not look at your keys.

Granted, this is most likely better than nothing, especially if you trust AWS, but ideally, you want only the client to have the key material.

If you're running in AWS with any secret management service that isn't using CloudHSM, you're trusting AWS with your key material.

There surely is some amount of trust there, though.

My undertanding was that the Customer Master Key was stored in an HSM, but your customer-generated keys were not. I might be wrong about that. So if true, AWS employees would not have access to your root key material, but the definitely the intermediary key material. It's a cost trade-off

Either way, you have to bootstrap secret material onto your instances somehow, so you've got to trust Amazon somewhere.

Not to diminish your point -- the how/where/when really does matter. Locking your house key in your car is still better than leaving it on your front step, but also not as good as in your pocket.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact