Oracle Cloud Infrastructure (OCI) Key Management provides you with centralized management of the encryption of your data. You can use Key Management to create master encryption keys and data encryption keys, rotate keys to generate new cryptographic material, enable or disable keys for use in cryptographic operations, assign keys to resources, and use keys for encryption and decryption.
Encryption keys are a specific type of secret that are used for encrypting and decrypting data. As with secrets configuration, there are many benefits to using a special-purpose service for this type of data, such as being able to perform wrap and unwrap operations without exposing the master key.
You need to identify any assets that store encryption keys and carefully control access to these in addition to controlling access to the encrypted data. The main types of encryption key storage are:
OCI services do not have access to the plaintext data without interacting with Key Management and without access to the master key that is protected by OCI Identity and Access Management (IAM). For decryption purposes, Object Storage and Block Volume store only the encrypted form of the data key.
Master Encryption Key in OCI
Note that master key is stored (in HSM) and managed (by KMS) separately from the data key itself. You create a master encryption key using the Console (see Figure 2) or API, Key Management stores the key version (or versioned master key) within a hardware security module (HSM) to provide a layer of physical security. Any given key version, after it’s created, is replicated within the service infrastructure as a measure of protection against hardware failures. Key versions are not otherwise stored anywhere else and cannot be exported from an HSM.
Key Management uses HSMs that meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification. This means that the HSM hardware is tamper-evident, has physical safeguards for tamper-resistance, requires identity-based authentication, and deletes keys from the device when it detects tampering.
Oracle key management is a regional service in OCI, which replicates encryption keys across 3 availability domains in a region. It provides the following capabilities:
Limits[11]
Encryption Key Storage
Encryption keys are a specific type of secret that are used for encrypting and decrypting data. As with secrets configuration, there are many benefits to using a special-purpose service for this type of data, such as being able to perform wrap and unwrap operations without exposing the master key.
You need to identify any assets that store encryption keys and carefully control access to these in addition to controlling access to the encrypted data. The main types of encryption key storage are:
- Dedicated Hardware Security Modules (HSMs)
- Multi-tenant Key Management Systems (e.g., OCI Key Management)
Hardware Security Module[7]
In traditional on-premises environments with high security requirements, you would purchase a Hardware Security Module (HSM) to hold your encryption keys. It is a physical computing device that safeguards digital keys and provides crypto processing; it has significant logical and physical protections against unauthorized access.
Some cloud providers have an option to rent a dedicated HSM for your environment. While this may be required for the highest-security environments, a dedicated HSM is still expensive in a cloud environment.
A Key Management Service (KMS) is a multitenant service that uses an HSM on the back end to keep keys safe. You do have to trust both the HSM and the KMS (instead of just the HSM), which adds a little additional risk. However, compared to performing your own key management (often incorrectly), a KMS provides excellent security at zero or very low cost. You can have the benefits of proper key management in projects with more modest security budgets.
Some cloud providers have an option to rent a dedicated HSM for your environment. While this may be required for the highest-security environments, a dedicated HSM is still expensive in a cloud environment.
A Key Management Service (KMS) is a multitenant service that uses an HSM on the back end to keep keys safe. You do have to trust both the HSM and the KMS (instead of just the HSM), which adds a little additional risk. However, compared to performing your own key management (often incorrectly), a KMS provides excellent security at zero or very low cost. You can have the benefits of proper key management in projects with more modest security budgets.
Figure 1. Envelope Encryption |
Envelope Encryption
OCI services do not have access to the plaintext data without interacting with Key Management and without access to the master key that is protected by OCI Identity and Access Management (IAM). For decryption purposes, Object Storage and Block Volume store only the encrypted form of the data key.
The data key used to encrypt your data is, itself, encrypted with a master key. This concept is known as envelope encryption (see Figure 1). This is how it works:[10]
- Typically there are many master keys (or key-encrypting keys) that is held in a key management system (KMS).
- When you need to encrypt some message :
- A request is sent to the KMS to generate a data key based on one of the master keys.
- KMS returns a data key, which usually contains both the plain text version and the encrypted version of the data key.
- The message is encrypted using the plain text key.
- Then both the encrypted message and the encrypted data key are packaged into a structure (sometimes called envelope) and written.
- The plain text key is immediately removed from memory.
- When it comes time to decrypt the message:
- The encrypted data key is extracted from the envelope.
- KMS is requested to decrypt the data key using the same master key as that was used to generate it.
- Once the plain text version of the data key is obtained then the encrypted message itself is decrypted.
Master Encryption Key in OCI
Note that master key is stored (in HSM) and managed (by KMS) separately from the data key itself. You create a master encryption key using the Console (see Figure 2) or API, Key Management stores the key version (or versioned master key) within a hardware security module (HSM) to provide a layer of physical security. Any given key version, after it’s created, is replicated within the service infrastructure as a measure of protection against hardware failures. Key versions are not otherwise stored anywhere else and cannot be exported from an HSM.
Key Management uses HSMs that meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification. This means that the HSM hardware is tamper-evident, has physical safeguards for tamper-resistance, requires identity-based authentication, and deletes keys from the device when it detects tampering.
Figure 2. Centralized Key Management |
OCI Key Management Capabilities
Oracle key management is a regional service in OCI, which replicates encryption keys across 3 availability domains in a region. It provides the following capabilities:
- Centralized key management capabilities
- Creates/Deletes key vaults to store encryption keys
- Waiting period for vault deletion is 7 to 30 days
- Creates/Enables/Disables keys, but not deleting them
- Key Management uses the Advanced Encryption Standard (AES) as its encryption algorithm and its keys are AES symmetric keys
- Supports all key lengths of the Advanced Encryption Standard (AES) algorithm (i.e., 128, 192 and 256)
- Rotates your keys (i.e, which creates versioned master keys) if you suspect they may have leaked out
- Rotating key does not automatically re-encrypt data that was previously encrypted with the old key version; this data is re-encrypted the next time when it's modified by the user.
- Secures key storage using per-customer isolated partitions in HSMs
- OCI HSMs meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification.
- Integrates with Other OCI services
- OCI Identity and Access Management (IAM)[8]
- Let you control who and what services can access which keys and what they can do with those keys.
- OCI Audit
- Tracks administrative actions on keys and vaults
- Monitor key usage
- OCI block volume & Object Storage Services (see Figure 3)
- Both integrate with Key Management to support encryption of data in buckets and block or boot volumes
Figure 3. Block Volume Encryption |
Limits[11]
Key Management limits are global.
Resources
|
Monthly Universal Credits
|
Pay-as-You-Go or Promo
|
---|---|---|
Vaults in a tenancy | Contact Oracle | Contact Oracle |
Keys in a vault (Key versions, whether enabled or disabled, count against your limits.) | Contact Oracle | Contact Oracle |
References
- Overview of Key Management
- Oracle Cloud Infrastructure Key Management FAQ
- OCI Level 100 - Key Management (YouTube video)
- IaaS - Enterprise Cloud - Oracle Cloud Infrastructure (YouTube playlist)
- OCI Level 100 Training (YouTube playlist)
- OCI Level 200 Training (YouTube playlist)
- Practical Cloud Security
- Getting Started with IAM Policies
- Applied Cryptography: Protocols, Algorithms and Source Code in C
- Envelope Encryption
- Key Management Limits (OCI)
- Oracle Cloud Infrastructure (redthunder.blog)
- More articles on OCI (XML and More)
Great
ReplyDeleteFor 20 years, GloNet Security & Lock Services has specialized in crafting personalized security solutions for homes and businesses throughout the Greater Toronto Area. Situated in Oakville, our expertise extends across Mississauga, Brampton, Burlington, Guelph, Halton, Hamilton, and Toronto, focusing on comprehensive key and key management services.
ReplyDelete