|By Gilad Parann-Nissany||
|June 13, 2014 08:33 PM EDT||
Amazon Web Services announced S3 SSE-C today; an enhancement allowing AWS S3 users to feed customer-generated keys to its S3 Server Side Encryption, which previously only allowed keys to be managed by Amazon itself. This is a great addition to the S3 feature set, and is a very usable way to enhance the security of AWS S3 for storing sensitive data.
Porticor’s Virtual Appliance for AWS integrates with AWS SSE-C to address two important questions:
- How can encryption keys be generated in a secure manner, especially given that virtual machines often suffer from lack of randomness (“entropy”).
- Best crypto practices call for a separate encryption key per S3 object – How can a customer manage a large set of sensitive encryption keys?
With Porticor, both issues are solved in a simple and elegant manner:
- The Porticor Virtual appliance serves as a secure source of crypto-grade random numbers, just the sort you need for cryptographic keys.
- The Porticor Key Management API allows your application to generate, store and retrieve cryptographic keys, and is easily accessible from any programming language as a simple RESTful API.
To illustrate the simplicity of the API, the following two operations generate a random key, and then (later on) delete the key. This happens after the application has been authenticated and received a temporary credential (a.k.a., authentication token):
PUT /api/protected_items/my-new-item?generate=16& api_cred=<temporary-cred>
The value returned in a JSON structure by the PUT operation can be used directly by the S3 calls. Keys (protected items) can have arbitrary names, and a natural solution would be to use the S3 object’s URI to name its corresponding cryptographic key.
As a further convenience feature, Porticor provides sample code in multiple programing languages, which lets you use the API without resorting to direct REST calls.