Beefy Boxes and Bandwidth Generously Provided by pair Networks
Come for the quick hacks, stay for the epiphanies.
 
PerlMonks  

Re: OT: Storing encryption keys securely

by eyepopslikeamosquito (Archbishop)
on Jan 25, 2017 at 21:58 UTC ( [id://1180340]=note: print w/replies, xml ) Need Help??


in reply to OT: Storing encryption keys securely

To get a feel for how folks in the cloud are tackling security and key management, I found this AWS security talk by Bill Shinn interesting.

Some items discussed:

  • Limited Blast Radius. Contain the damage caused by the loss of a single key.
  • Key Hierarchies. Symmetric Key + Master Key -> Encrypted Data Key. You store the encrypted data key with the data. That key is encrypted with a master key that is stored elsewhere. How to protect the master key? Well, you could have an Application Key ... encrypted with a Server Key ... encrypted with a Region Key ... encrypted with an Availability Zone Key, say. That is, design your own key hierarchy - with the goal of reducing the blast radius of the loss of a single key.
  • Auditing. Log key management activity and security-related events to one or more external agents (e.g. via syslog). Important when investigating a breach.

Update: See also Re: Security techniques every programmer should know (Security References)

  • Comment on Re: OT: Storing encryption keys securely

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://1180340]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others sharing their wisdom with the Monastery: (4)
As of 2024-04-26 00:15 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found