Skip to content
Products
Platform
Developer Tools
Portal

Concepts

Concept overview and definition of terms

Section titled “Concept overview and definition of terms”

The following defines some of the terms which are used in the context of KMS

Key Ring

Section titled “Key Ring”

A key ring is a logical group of cryptographic keys. It can contain any number of keys and is used to group them for organizational or access control reasons.

Wrapping Key

Section titled “Wrapping Key”

A wrapping key is used to en- and decrypt the cryptographic keys in your key ring.

Key

Section titled “Key”

A key or key pair exists within a key ring. It can either be generated or imported and is used for encrypting and decrypting your data. A key can exist in any number of versions.

Version

Section titled “Version”

Versions provide versioning for cryptographic keys and are assigned to a specific key.

Key import

Section titled “Key import”

A Key Import is an externally created cryptographic key brought to the KMS so that it can be managed, stored and used inside the KMS context. Key Imports are version-bound.

The following section lists some basic concepts that go in a bit more detail

Advanced concepts

Section titled “Advanced concepts”

Envelope encryption

Section titled “Envelope encryption”

Envelope encryption describes the process of encrypting a key with another key, providing multiple layers of encryption and thus increasing security. It allows for a separation of concerns on key level.

There are two types of keys:

  • Data Encryption Keys (DEK)
  • Key Encryption Keys (KEK)

Data encryption keys

Section titled “Data encryption keys”

These keys are used to encrypt data locally and have a limited scope. They’re usually short-lived and can be stored near the data they’re protecting. Each time you encrypt data, you can use a new DEK.

Key encryption keys

Section titled “Key encryption keys”

These keys have a broader scope and can be linked together to form a chain of responsibility. They’re long-lived and securely stored in our Key Management Service (KMS). KEKs are protected by the KMS and never leave the system.

Key flow

Section titled “Key flow”

Here’s a step-by-step overview of the process:

  • Encrypting data: When a service wants to encrypt data, it generates a DEK locally.
  • Wrapping the DEK: The DEK is then wrapped using a KEK from the KMS.
  • Encrypting data: The service uses the raw DEK to encrypt the data.
  • Storing encrypted data: The encrypted data and wrapped DEK are stored together.
  • Decryption: When the data needs to be accessed, the wrapped DEK is decrypted using the KMS, and the raw DEK is used to decrypt the data locally.

Benefits of envelope encryption

Section titled “Benefits of envelope encryption”

Envelope encryption provides an additional layer of security and flexibility, making it easier to manage security across different systems. With KEKs securely stored in the KMS, you can be confident that your data is protected.

Key purposes and encryption algorithms

Section titled “Key purposes and encryption algorithms”

The algorithm depends on the purpose of the key. The purpose defines how the key will be used. Different purposes result in different algorithms being used.

Notice that the KMS might implement a payload size limit for encrypt and decrypt operations. This is to reduce the load on the API and enforce a clean architecture. Background to this is the concept of chaining keys through envelope encryption. This results in the KMS only having to encrypt or decrypt other keys rather than the data directly.

Purposes

Section titled “Purposes”
  • Symmetric encrypt decrypt: This purpose is used for symmetric encryption and decryption. Primarily used to implement the envelope encryption where the KEK is used to encrypt a DEK. Only normal keys can use this purpose.
  • Asymmetric Encrypt Decrypt: This purpose is used for asymmetric encryption and decryption. The encryption will be performed using the public key of the asymmetric key. Only normal keys can use this purpose.
  • Message Authentication Code: This purpose is used for creating message authentication codes for signing and verifying. Only normal keys can use this purpose.
  • Asymmetric Sign Verify: This purpose is used for creating signatures. The signature is created using the private key of the asymmetric key. Only normal keys can use this purpose.
  • Wrap Symmetric Key: This purpose is used to wrap symmetric keys for import. Only wrapping keys can use this purpose.
  • Wrap Asymmetric Key: This purpose is used to wrap asymmetric keys for import. Only wrapping keys can use this purpose.

Algorithms

Section titled “Algorithms”
Symmetric Encrypt Decrypt
Section titled “Symmetric Encrypt Decrypt”
  • AES 256 GCM: This will use the Advanced Encryption Standard (AES) with a 256 bit key in Galois Counter Mode (GCM)
Asymmetric Encrypt Decrypt
Section titled “Asymmetric Encrypt Decrypt”
  • RSA 2048 OAEP SHA256: This will use a 2048 bit RSA key with Optimal Asymmetric Encryption Padding (OAEP) using a SHA256 digest.
  • RSA 3072 OAEP SHA256: This will use a 3072 bit RSA key with Optimal Asymmetric Encryption Padding (OAEP) using a SHA256 digest.
  • RSA 4096 OAEP SHA256: This will use a 4096 bit RSA key with Optimal Asymmetric Encryption Padding (OAEP) using a SHA256 digest.
  • RSA 4096 OAEP SHA512: This will use a 4096 bit RSA key with Optimal Asymmetric Encryption Padding (OAEP) using a SHA512 digest.
Asymmetric Sign Verify
Section titled “Asymmetric Sign Verify”
  • ECDSA P256 SHA256: This will use the ECDSA algorithm based on the P256 curve (a.k.a. secp256r1).
  • ECDSA P384 SHA384: This will use the ECDSA algorithm based on the P384 curve (a.k.a. secp384r1).
  • ECDSA P521 SHA512: This will use the ECDSA algorithm based on the P521 curve (a.k.a. secp521r1).
Message Authentication Code
Section titled “Message Authentication Code”

  • HMAC SHA256: This will use a 256 bit key using a SHA256 digest

  • HMAC SHA384: This will use a 384 bit key using a SHA384 digest

  • HMAC SHA512: This will use a 512 bit key using a SHA512 digest

Wrap Symmetric Key
Section titled “Wrap Symmetric Key”

  • RSA 2048 OAEP SHA256: This will use a 2048 bit RSA key with Optimal Asymmetric Encryption Padding (OAEP) using a SHA256 digest.

  • RSA 3072 OAEP SHA256: This will use a 3072 bit RSA key with Optimal Asymmetric Encryption Padding (OAEP) using a SHA256 digest.

  • RSA 4096 OAEP SHA256: This will use a 4096 bit RSA key with Optimal Asymmetric Encryption Padding (OAEP) using a SHA256 digest.

  • RSA 4096 OAEP SHA512: This will use a 4096 bit RSA key with Optimal Asymmetric Encryption Padding (OAEP) using a SHA512 digest.

Wrap Asymmetric Key
Section titled “Wrap Asymmetric Key”

  • RSA 2048 OAEP SHA256 with AES 256 Key Wrapping: This will use a 2048 bit RSA wrapping key with Optimal Asymmetric Encryption Padding (OAEP) using a SHA256 digest to encrypt a temporary AES 256 symmetric key that is used to encrypt the actual key material.

  • RSA 3072 OAEP SHA256 with AES 256 Key Wrapping: This will use a 3072 bit RSA wrapping key with Optimal Asymmetric Encryption Padding (OAEP) using a SHA256 digest to encrypt a temporary AES 256 symmetric key that is used to encrypt the actual key material.

  • RSA 4096 OAEP SHA256 with AES 256 Key Wrapping: This will use a 4096 bit RSA wrapping key with Optimal Asymmetric Encryption Padding (OAEP) using a SHA256 digest to encrypt a temporary AES 256 symmetric key that is used to encrypt the actual key material.

  • RSA 4096 OAEP SHA512 with AES 256 Key Wrapping: This will use a 4096 bit RSA wrapping key with Optimal Asymmetric Encryption Padding (OAEP) using a SHA512 digest to encrypt a temporary AES 256 symmetric key that is used to encrypt the actual key material.