Types of encryption supported by AWS

AWS offers a range of encryption options, each tailored to address specific operational, security, and compliance requirements in various situations. This section delves into the various encryption methodologies supported by AWS, providing insights into their mechanics, advantages, and potential use cases.

Envelope encryption

Envelope encryption is a sophisticated encryption strategy that involves two layers of encryption keys. The primary data, or the payload, is encrypted using a unique data key. This data key, instead of being stored plainly, is then encrypted using another key, known as the master key. The encrypted data key is stored alongside the encrypted data. When decryption is required, the master key is used to decrypt the data key, which, in turn, decrypts the primary data. This dual-layered approach ensures that even if the encrypted data and its associated encrypted data key are accessed, the data remains secure without the master key. Another advantage of envelope encryption is the ease of key rotation. By rotating the master key, the security of data remains intact without the need to re-encrypt all the data. Instead, only the data key, which is considerably smaller and faster to process, needs to be re-encrypted.

AWS’s implementation of envelope encryption is both robust and efficient. AWS services such as S3 use envelope encryption to provide an added layer of security. The advantage of this approach is that it allows for the secure distribution and storage of data keys, as the master key, which remains securely stored in services such as KMS, is never directly exposed.

Figure 4.1 represents the envelope encryption workflow that’s used in AWS:

Figure 4.1 – Envelope encryption workflow

Symmetric versus asymmetric encryption

At its core, encryption relies on keys to encrypt and decrypt data. Encryption methods differ based on the keys they use, leading to two primary encryption mechanisms:

• Symmetric encryption: This type of encryption employs a single key for both encryption and decryption. This simplicity promotes efficiency, but it is crucial to ensure the key’s security. Symmetric encryption is ideal for encrypting large volumes of data due to its speed and efficiency. It is particularly suited for services such as S3, where data is stored in bulk, or RDS, where databases need to be encrypted. AWS services such as KMS primarily use symmetric encryption with AES 256.
• Asymmetric encryption: This type of encryption employs a pair of mathematically related keys – a public key for encryption and a private key for decryption. Asymmetric encryption is best suited for securing sensitive operations in AWS, such as establishing secure TLS connections or generating digital signatures for code or documents. It is beneficial when setting up secure communication channels between components and applications, where the public key can be shared without compromising security. AWS supports asymmetric encryption in services such as KMS, allowing users to create RSA and elliptic curve cryptography (ECC) key pairs.