AWS KMS是否使用信封加密? [英] Does AWS KMS use envelope encryption?
问题描述
AWS KMS允许的最大加密数据大小为4kb,因此,每当我们在AWS服务/资源中使用加密时,是否使用信封加密来进行加密?即,数据在资源侧用密钥本身加密,并且密钥用另一个密钥(cmk)加密并与数据一起存储,并且解密按上述步骤的相反顺序进行.我的理解正确吗?
Encryption max data size allowed for AWS KMS is 4kb, so whenever we use encryption in AWS services/resources is Encryption done using envelope encryption? , i.e, data is encrypted at resource side itself with the key and key is encrypted with another key(cmk)and stored along with the data and decryption happens in the reverse order of above steps. Is my understanding correct??
推荐答案
通常,CMK不用于加密您要加密的数据.
Generally the CMK is not used for encrypting the data that you are looking to encrypt.
虽然对4kb的限制有意见,但数据加密密钥为加密数据提供了一种更安全的方法.
Whilst it’s a matter of opinion on the 4kb limit, data encryption keys provide a more secure approach to encrypting the data.
由于每个资源都可以拥有自己的数据加密密钥,因此,如果一个加密密钥遭到破坏(实际上,如果发生这种情况,KMS支持重新加密以生成新的数据密钥),则可以解密所有资源,从而降低了风险.
Because each resource could have its own data encryption key, the risk is reduced of having all of your resources decrypted if a single encryption key is compromised (in fact if this happens KMS supports re encryption to generate a new data key).
您所描述的内容对于KMS的S3实现是正确的.Base64编码的加密密钥与它加密的对象一起存储.要解密,S3需要使用CMK解密对象的数据密钥,然后使用解密的数据加密密钥来解密对象.
What you describe is correct for S3 implementation of KMS. A Base64 encoded encrypted key is stored alongside the object it encrypts. To decrypt S3 needs to decrypt the data key for the object using the CMK, then use the decrypted data encryption key to decrypt the object.
其他服务将具有不同的实现,例如 DynamoDB可以
Other services will have different implementations, for example DynamoDB does this on a per table basis.
For more information on how each service has implemented KMS take a look at the How AWS Services use AWS KMS page
这篇关于AWS KMS是否使用信封加密?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
