Amazon SSE-S3密钥轮换如何工作? [英] How does Amazon SSE-S3 key rotation work?
问题描述
我正在尝试把注意力集中在Amazon的Server Side Encryption选项上,这样我就可以开始要求S3在我的应用程序上传文件时对静态数据进行加密.
I'm trying to wrap my mind around Amazon's Server Side Encryption options so I can start asking S3 to encrypt my data at rest when my applications upload files.
到目前为止,AWS管理的加密密钥选项听起来像我正在寻找的东西(模型C ):
So far the AWS-Managed Encryption Keys option sounds like what I'm looking for (Model C):
但随后会显示
作为一种额外的保护措施,此密钥本身已使用定期旋转的Amazon S3独有的主密钥是安全的存储在AWS控制下的单独系统中.
As an additional safeguard, this key itself is encrypted with a periodically rotated master key unique to Amazon S3 that is securely stored in separate systems under AWS control.
此轮换如何工作?这是否意味着每次AWS旋转其密钥加密密钥,他们都必须重新加密S3中存储的每个 Data Key ?
How does this rotation work? Does this mean that every time AWS rotates their key-encrypting key, they have to re-encrypt EVERY SINGLE Data Key stored in S3???
在我看来这很疯狂,当我试图说服老板这是一个好主意时,我不想听起来很疯狂:)
That seems crazy to me, and I don't want to sound crazy when I try to convince my boss that this is a good idea :)
推荐答案
对于您上传的每个对象,都会生成一个新的加密密钥,并用于在将该对象存储到磁盘之前对其进行加密.
For each object you upload, a new encryption key is generated, and used to encrypt the object before it's stored to disk.
将对象存储为加密意味着拥有存储在磁盘上的原始数据的人在计算上无法解密...但是,当然,拥有该密钥的任何人都可以解密它,因此密钥具有可以安全地以相对无用的形式进行存储,这是通过使用主密钥对它们进行加密来实现的.
Having the object stored encrypted means the it's computationally infeasible for someone in possession of the raw data as stored on disk to decrypt it... but, of course, anyone in possession of that key could decrypt it, so the keys have to be stored securely, and in a relatively useless form, and that's done by encrypting them with the master key.
要破坏存储的对象,您必须具有该对象的特定加密密钥...但是,即使您拥有它,也没有用,因为它也已被加密.要解密它,或者至少要代您使用它,您必须拥有主密钥,或者与控制该主密钥并可以代表您使用它的实体建立信任关系.
To compromise the stored object, you have to have the specific encryption key for that object... but even if you have it, it's useless since it's also been encrypted. To get it decrypted, or at least have it used on your behalf, you have to have the master key, or have a trust relationship with an entity that controls the master key and can use it on your behalf.
到目前为止,我所做的一切显然是显而易见的.
So far, all I've really done is stated the obvious, of course.
加密密钥本身很小,每个只有几十个字节.旋转主密钥后,将使用旧密钥解密特定于对象的加密密钥,然后使用新密钥重新加密.新版本将被存储,而旧版本将被丢弃.
The encryption keys, themselves, are tiny, only a few tens of bytes each. When the master key is rotated, the object-specific encryption keys are decrypted with the old key, and re-encrypted with the new key. The new versions are stored, and the old versions are discarded.
由于密钥很小,因此如果对象本身被解密并重新加密,这并不是必需的繁琐操作……而只有每个对象的加密密钥在解密时才进行解密和重新加密.主键旋转.
Since the keys are small, this is not the massive operation that would be required if the objects themselves were decrypted and re-encrypted... but it's only the per-object encryption keys that are decrypted and re-encrypted when the master key is rotated.
有几个类比可以归结为一个公寓大楼,其中钥匙存储在公共密码箱中,在其中更改密码箱锁将通过限制对公共密码箱的访问来限制对单个公寓钥匙的访问,从而限制将来对单个公寓的访问.这个类比打破了,因为物理密钥很容易被复制,还有其他原因……但是,在此示例中,很明显,更改密码箱锁(相对简单的操作)与更改一个或多个公寓的锁无关(a更为重要的操作).
Several analogies could be drawn to an apartment complex, where keys are stored in a common lockbox, where changing the lockbox lock would restrict future access to individual apartments by restricting access to the individual apartment keys by restricting access to the common lockbox. The analogy breaks down, because physical keys are easily copied, among other reasons... but it's apparent, in this illustration, that changing the lockbox lock (relatively simple operation) would be unrelated to changing the lock on one or more apartments (a much more substantial operation).
在这种情况下,最重要的是,他们创建了一个新的密钥来加密/解密您上载的每个对象,然后以加密形式存储该密钥...定期且对您透明地更改存储的表示形式该密钥作为预防措施.
The bottom line, in this scenario, they create a new secret key to encrypt/decrypt each object you upload, then store that secret key in an encrypted form... periodically, and transparently to you, they change their stored representation of that secret key as a preventative measure.
这篇关于Amazon SSE-S3密钥轮换如何工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
