Cloud Key Management, Encryption
AWS VS Azure KMS
Deciding which cloud crypto vendor is best for you? Choosing between Amazon Web Services or Microsoft Azure is heavily debated by users. The transition toward uploading data on the public cloud is becoming the standard for organizations. The two main factors for protecting data are to protect the data from unauthorized access and to meet compliance regulations. Cloud Security must be the main priority of everyone in the organization. The use of encryption depends on the protection of the keys. Key protection and management are offered by Amazon Web Services Key Management Services (AWS KMS) and Microsoft Azure Key Vault. In today’s blog, Encryption Consulting will summarize Amazon Web Services (AWS) Key Management System (KMS) and Microsoft Azure Key Vault.
Amazon Web Services Key Management Services (AWS KMS)
AWS KMS is a managed service that is used to create and manage encryption keys. The two types of encryption keys in AWS KMS are Customer Master Keys (CMKs) and Data keys. CMKs can be used to encrypt and decrypt up to 4-kilobytes of data. Data Keys are generated, encrypted and decrypted by CMKs. The CMKs can never leave the AWS KMS. The CMKs could be customer managed or AWS managed. Data keys are used to encrypt data. AWS KMS does not store, manage or track data keys. AWS KMS cannot use data key to encrypt data for you. You have to use and manage data keys. AWS KMS uses FIPS 140-2 validated hardware security modules (HSM) and supported FIPS 140-2 validated endpoints ensuring confidentiality and integrity of your keys.
Azure Key Vault
Microsoft Azure Key Vault is used to store secrets like tokens, passwords, certificates, and API keys. Azure Key Vault can also be used as a key management solution. Key Vault can encrypt keys and secrets in hardware security modules (HSMS). Key Vault supports RSA and Elliptic Curve keys only. Microsoft will not see your keys, but processes the keys in FIPS 140-2 Level 2 validated HSMs.
| Control | AWS KMS | Azure Key Vault |
|---|---|---|
| Symmetric Key | AES-GCM-256 | X |
| Asymmetric Key | X | RSA-OAEP and RSA-PKCS #1v1.5 |
| Bring your own key (BYOK) | CMK wrapped with RSA 2048 | PKCS#12 or nCipher HSM |
| Unwrap Key | RSA-OAEP and RSA-PKCS#1v1.5 | RSA-OAEP and RSA-PKCS#1v1.5 |
| Sign | X | RSA-PSS and RSA-PKCS#1v1.5 |
| Key Length -Symmetric Key | AES 256 | X |
| Key Length-Asymmetric Key | X | RSA 2048 – 4096 |
| Key operations per second | 1000 – 5500 depending on the region | 1000 for HSM 2000 for Software-basedCrypto |
At Encryption Consulting, we are here to take care of all your encryption needs with respect to cloud key management.
Contact us at info@encryptionconsulting.com
