Can I use Asymmetric Keys generated in KMS for encrypting and decrypting data through Google DLP APIs ?
https://cloud.google.com/kms/docs/creating-asymmetric-keys
Related
I have a use case to encrypt the data while loading from S3 bucket to Snowflake tables. The S3 bucket is enabled with SSE-S3.
The files in S3 is additionally encrypted using KMS key before they are pushed to S3 (which I like to call as double encryption). I wanted to understand how Snowflake works on decryption of these data files. To be specific, is the data in transit (while undergoing auto-ingest) also encrypted.
Secondly, if the external stage in Snowflake is configured with the same KMS key id
encryption = (type = 'AWS_SSE_KMS' kms_key_id = 'xxxx-yyyy'
will Snowflake decrypt the data files and make it readable upon querying the table on which the files are loaded?
Thanks in advance
Snowflake supports either client-side encryption or server-side encryption. Either can be configured to decrypt files staged in S3 buckets.
Client-side encryption:
AWS_CSE: Requires a MASTER_KEY value. The master key must be a 128-bit or 256-bit key in Base64-encoded form.
For more information, see the AWS documentation for client-side encryption. Note that for client-side encryption, Snowflake supports using a master key stored in Snowflake; using a master key stored in AWS Key Management Service (AWS KMS) is not supported.
Server-side encryption:
AWS_SSE_S3: Requires no additional encryption settings.
AWS_SSE_KMS: Accepts an optional KMS_KEY_ID value.
For more information, see the AWS documentation for server-side encryption.
Using AWS Key Management Service (KMS) to manage keys requires configuring an IAM policy. For information, see the KMS documentation.
Details: https://docs.snowflake.com/en/user-guide/data-load-s3-encrypt.html#aws-data-file-encryption
I'm looking for documentation that says the level of encryption is used at rest for firebase auth and firestore data:
Firebase Authentication
Firestore
This stackoverflow question points to a link that says it is encrypted, here: https://firebase.google.com/support/privacy#data_encryption
However, it does not specify the encryption level.
Is the data encrypted at AES 256? If not, what level of encryption is used?
Firestore is a part of Google Cloud products and all user content stored in Google Cloud is encrypted at rest without additional action required.
As shown in the diagram, data chunks in storage systems are protected by AES256 encryption with integrity.
The same applies on Firebase Auth as the service run on Google infrastructure though it is exclusive on US datacenters.
https://cloud.google.com/security/encryption-at-rest/default-encryption
When using the transit secret engine of HashiCorp Vault, the vault has to be called to encrypt data.
Now, I have the situation that I want to encrypt data in an insecure location, where I can't store the credentials for the encryption service. For those situations, asymmetric encryption is the perfect answer. I can use the public key to encrypt the data in the insecure location without calling the vault. But later, I can call the vault from a secure location to decrypt the same data.
From what I see, Vault only supports rsa-2048 and rsa-4096 which can't be used for large data. All other ciphers are symmetric.
Do I misunderstand something here or does HashiCorp only support asymmetric encryption for small data?
So ,
I know Firebase encrypt data at rest according to this question.
question is do they use a unique key per account , also where are those keys stored.
This is more a compliance concern.
Firebase relies on Google Cloud Platform's default encryption at rest.
Data is not encrypted with an account-specific key.
I have two methods that perform encryption/decryption. These methods accept three parameters ...
Plain Text (for encryption) or Cipher Text (for decryption)
Initialization Vector
Encryption Passphrase
I was planning on using Azure Key Vault to store the Encryption Passphrase but as I read through the documentation it appears as though Azure insists on performing the encryption/decryption itself.
Is there a way to just read the Encryption Passphrase from the Azure Key Vault and use it within my own encryption methods?
You could store it as a secret in the Key Vault.
Encryption/decryption is done by the Key Vault if you're using keys, not secrets.