AWS KMS With External Key Material - The BYOK Solution

all aws aws kms aws security Jan 28, 2024

Introduction

AWS KMS provides a comprehensive solution for managing encryption keys, but what happens when we need to use keys generated outside of AWS? Enter the concept of "Bring Your Own Key" (BYOK) and the option of using an External Key Store. Let's break down these concepts, starting with BYOK, and then compare it with the External Key Store option.

What is BYOK?

Bring Your Own Key (BYOK) is a feature within AWS KMS that allows us to import our own encryption keys into AWS. This is particularly useful for organizations that need to meet specific compliance requirements, maintain control over the key generation process, or simply wish to use a key that has been used elsewhere.

Basic Setup Steps for BYOK

  1. Prepare Our Key: Ensure our key is a 256-bit symmetric key. Asymmetric keys are not supported for BYOK.

  2. Secure Key Storage: Before importing, make sure our key is securely stored and managed outside of AWS. This includes ensuring its security, availability, and durability.

  3. Import the Key into AWS KMS:

    • Use the AWS Management Console, AWS CLI, or SDKs to import our key material into a new or existing KMS key.
    • During the import process, we'll need to provide the key material and its associated metadata.
  4. Use Our Key: Once imported, our key can be used for cryptographic operations across AWS services that are integrated with AWS KMS, similar to keys generated within AWS KMS.

  5. Key Rotation: AWS KMS does not automatically rotate imported keys. We must manage the rotation process manually, which involves creating new keys and reimporting them as needed.

External Key Store (Custom Key Store Option)

The External Key Store option allows AWS services to use cryptographic keys stored and managed outside AWS, in an external system. This setup keeps our key management and cryptographic operations entirely external, with AWS KMS facilitating cryptographic requests without accessing the keys directly.

Key Differences Between BYOK and External Key Store

  • Key Management: With BYOK, the imported keys are managed by AWS KMS once imported, allowing AWS to perform encryption and decryption operations. In contrast, with an External Key Store, keys are managed completely outside of AWS, and AWS KMS never accesses the keys directly.

  • Cryptographic Operations: BYOK allows AWS services to perform cryptographic operations using the imported keys within AWS KMS. For an External Key Store, all cryptographic operations are performed outside AWS, with AWS KMS acting merely as an intermediary.

  • Control and Compliance: Both BYOK and External Key Store options offer enhanced control over encryption keys and can help meet compliance requirements. However, the External Key Store provides the highest level of control, as keys and operations remain entirely external.

  • Setup and Integration: BYOK involves a straightforward import process into AWS KMS. Setting up an External Key Store may require more complex integration and configuration efforts to ensure seamless operation between AWS services and the external key management system.

Conclusion

Choosing between BYOK and an External Key Store depends on our organization's specific needs for key management, control, and compliance. BYOK balances control and convenience, which is ideal for those who want to bring pre-existing keys into AWS. The External Key Store option suits organizations seeking the highest level of key management autonomy, with keys and their operations kept completely outside AWS.

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.

We hate SPAM. We will never sell your information, for any reason.