Friday, December 21, 2018

Oracle Cloud Infrastructure―OCI Key Management Basics

Oracle Cloud Infrastructure (OCIKey Management provides you with centralized management of the encryption of your data. You can use Key Management to create master encryption keys and data encryption keys, rotate keys to generate new cryptographic material, enable or disable keys for use in cryptographic operations, assign keys to resources, and use keys for encryption and decryption.

Encryption Key Storage


Encryption keys are a specific type of secret that are used for encrypting and decrypting data. As with secrets configuration, there are many benefits to using a special-purpose service for this type of data, such as being able to perform wrap and unwrap operations without exposing the master key.

You need to identify any assets that store encryption keys and carefully control access to these in addition to controlling access to the encrypted data.  The main types of encryption key storage are:





Hardware Security Module[7]


In traditional on-premises environments with high security requirements, you would purchase a Hardware Security Module (HSM) to hold your encryption keys.  It is a physical computing device that safeguards digital keys and provides crypto processing; it has significant logical and physical protections against unauthorized access.

Some cloud providers have an option to rent a dedicated HSM for your environment. While this may be required for the highest-security environments, a dedicated HSM is still expensive in a cloud environment.

A Key Management Service (KMS) is a multitenant service that uses an HSM on the back end to keep keys safe. You do have to trust both the HSM and the KMS (instead of just the HSM), which adds a little additional risk. However, compared to performing your own key management (often incorrectly), a KMS provides excellent security at zero or very low cost. You can have the benefits of proper key management in projects with more modest security budgets.

Figure 1.  Envelope Encryption

Envelope Encryption


OCI services do not have access to the plaintext data without interacting with Key Management and without access to the master key that is protected by OCI Identity and Access Management (IAM). For decryption purposes, Object Storage and Block Volume store only the encrypted form of the data key.

The data key used to encrypt your data is, itself, encrypted with a master key. This concept is known as envelope encryption (see Figure 1). This is how it works:[10]
  1. Typically there are many master keys (or key-encrypting keys) that is held in a key management system (KMS).
    • When you need to encrypt some message :
    • A request is sent to the KMS to generate a data key  based on one of the master keys.
    • KMS returns a data key, which usually contains both the plain text version and the encrypted version of the data key.
    • The message is encrypted using the plain text key.
    • Then both the encrypted message and the encrypted data key are packaged into a structure (sometimes called envelope) and written.
    • The plain text key is immediately removed from memory.
  2. When it comes time to decrypt the message:
    • The encrypted data key is extracted from the envelope.
    • KMS is requested to decrypt the data key using the same master key as that was used to generate it.
    • Once the plain text version of the data key is obtained then the encrypted message itself is decrypted.

Master Encryption Key in OCI

Note that master key is stored (in HSM) and managed (by KMS) separately from the data key itself. You create a master encryption key using the Console (see Figure 2) or API, Key Management stores the key version (or versioned master key) within a hardware security module (HSM) to provide a layer of physical security. Any given key version, after it’s created, is replicated within the service infrastructure as a measure of protection against hardware failures. Key versions are not otherwise stored anywhere else and cannot be exported from an HSM.

Key Management uses HSMs that meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification. This means that the HSM hardware is tamper-evident, has physical safeguards for tamper-resistance, requires identity-based authentication, and deletes keys from the device when it detects tampering.

Figure 2.  Centralized Key Management

OCI Key Management Capabilities


Oracle key management is a regional service in OCI, which replicates encryption keys across 3 availability domains in a region. It provides the following capabilities:
  • Centralized key management capabilities
    • Creates/Deletes key vaults to store encryption keys
      • Waiting period for vault deletion is 7 to 30 days 
    • Creates/Enables/Disables keys, but not deleting them
      • Key Management uses the Advanced Encryption Standard (AES) as its encryption algorithm and its keys are AES symmetric keys
      • Rotates your keys (i.e, which creates versioned master keys)  if you suspect they may have leaked out
        • Rotating key does not automatically re-encrypt data that was previously encrypted with the old key version; this data is re-encrypted the next time when it's modified by the user.
  • Secures key storage using per-customer isolated partitions in HSMs
    • OCI HSMs meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification. 
  • Integrates with Other OCI services
    • OCI Identity and Access Management (IAM)[8]
      • Let you control who and what services can access which keys and what they can do with those keys.
    • OCI Audit
      • Tracks administrative actions on keys and vaults
      • Monitor key usage
    • OCI block volume & Object  Storage Services (see Figure 3)
      • Both integrate with Key Management to support encryption of data in buckets and block or boot volumes
Figure 3.  Block Volume Encryption


Limits[11]

Key Management limits are global.

Resources
Monthly Universal Credits
Pay-as-You-Go or Promo
Vaults in a tenancyContact OracleContact Oracle
Keys in a vault (Key versions, whether enabled or disabled, count against your limits.)Contact OracleContact Oracle

References

2 comments:

Nanafauda said...

Great

Nanafauda said...

For 20 years, GloNet Security & Lock Services has specialized in crafting personalized security solutions for homes and businesses throughout the Greater Toronto Area. Situated in Oakville, our expertise extends across Mississauga, Brampton, Burlington, Guelph, Halton, Hamilton, and Toronto, focusing on comprehensive key and key management services.