We want to create and manage keys in KMS and provide those keys to a third party to encrypt our data at rest. Third party uses GCS to store data. How do we go about it?
Trying to understand the steps and flow.
Per my understanding we will create a key ring and keys in KMS. Not sure how we provide those keys to third party so that they can encrypt our data at rest.
Use an asymmetric key (key pair), that way you can safely share the public key with them.
gcloud kms keys versions get-public-key key-version \
--key key \
--keyring key-ring-name \
--location location \
--output-file public-key.pub
The third party can use the public key to encrypt the data, but only you will have access to the private key in your kms to decrypt.
If the data is large, the third party should generate an AES key to encrypt the data, and then encrypt the AES key with your public key (rsa). Then store the encrypted data and the encrypted AES key together.
Related
I'm developing in Adonis.js 4 (node.js).
What I want to accomplish is to save inside my database an encrypted value. But I don't want to encrypt that value with an app key (same key for all values). I would like to have something external (this is why of AWS) where I can store an id and a key for each of my values.
Let's say I have a user table, where I have a password field. I want the password to be encrypted with a different key for each user, so that if someone has access to my db and one key they still could have access only to one user account.
Do you know some easy way I could achieve this?
From my researches I think I should use this for keeping secrets: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/SecretsManager.html
But what about Adonis? How could I change encryption key dynamically?
There is a task to encrypt a message with a key stored in HSM (LMK I suppose) to save the encrypted message in database. And decrypt later as well.
The commands I find are M0/M2. As I could see both commands require my own key in addition.
I may generate own keys somehow (with HSM or by another way), but how the message be encrypted finally? With the both my and LMK key? Some other way? And should I store my own key somewhere also?
Is it a more direct way to encrypt message with internal HSM key?
Thank in advance, I am very new with HSM Thales.
Commands M0 and M2 on a Thales 9000 Payshield are Encrypt Data Block and Decrypt Data Block respectively.
To use these commands, you have to provide a key in the M0 command which will be used to encrypt the data.
The key you use must itself be encrypted under an LMK keypair, which is stored in the HSM and should not be accessible to you (except in a test environment where you will normally know the values of all the test LMK keypairs).
To get that data encryption key, generate a ZEK, using command A0. The A1 response to this will give you the key. The key you receive is encrypted under an LMK keypair.
You can then use this key in an M0/M2 command to encrypt a given block of data.
You will need to store the key you receive in the A1 command (it's likely just 16 or 32 hex chars) as it is not stored in the HSM.
Encryption/decryption of any of this data will always have to be performed via the HSM, because only the HSM has access to the LMK keypair required to decrypt your key and make it usable.
I have a cms who use a SALT key in the config file to encrypt / decrypt passwords, credit card and some other sensitive informations in the database.
I would like to decrypt only specific rows in the database using the SALT key, and then re-encrypt the data.
How can i achieve this?
Thank you
I have certain information being stored in a MySQL database that warrants being stored in an encrypted form. However my .Net application can't absorb the perfomance hit of doing the encryption and decryption at the application layer.
Is there any MySQL function that allows an ecryption key to be specified in the connection string and then have the MySQL database do the encrption operations?
do you mean
AES_ENCRYPT
and
AES_DECRYPT
you can pass the key when you run the query
you can see an example
EDIT:
another option to use
DES_ENCRYPT() and DES_DECRYPT()
The key file can be specified with the --des-key-file server option
I created an asymmetric key on one of my SQL servers (2008). I encrypted a password field and I am able to retrieve that password just fine on my development server.
The issue comes into play where I need to move this data to a production server.
Here is the code for the key that was created:
CREATE MASTER KEY ENCRYPTION BY PASSWORD='#########'
CREATE ASYMMETRIC KEY UserEncryptionKey
WITH ALGORITHM = RSA_2048
Now, when I run this on the production server, it creates the key just fine. However, when I run my sproc to get the password, it returns NULL.
SQL:
SELECT EncryptByAsymKey(AsymKey_ID('UserEncryptionKey'), Password )
FROM Users WHERE UserName = '######'
Any thoughts on what I need to do to get the encrypted field to work on multiple SQL Servers?
Please let me know if I need to clarify something.
Thanks
Do not move encrypted data from a database to another. Technically is possible, true, but you will likely compromise the key in the process so I rather not tell you how to do it.
When data is exchanged between sites, the usual procedure separates the key management and deployment from data transfer. Data is decrypted before transfer and dedicate encryption schemes for data transfer are used, like TLS and SSL, that eliminate the problem of deploying and sharing the actual encryption keys.
Asa side note, normally one does no encrypt data with asymmetric keys. They are way too slow for data operations. What everybody does is they encrypt data with a symmetric key and then encrypt the symmetric key with an asymmetric key.