I have two methods that perform encryption/decryption. These methods accept three parameters ...
Plain Text (for encryption) or Cipher Text (for decryption)
Initialization Vector
Encryption Passphrase
I was planning on using Azure Key Vault to store the Encryption Passphrase but as I read through the documentation it appears as though Azure insists on performing the encryption/decryption itself.
Is there a way to just read the Encryption Passphrase from the Azure Key Vault and use it within my own encryption methods?
You could store it as a secret in the Key Vault.
Encryption/decryption is done by the Key Vault if you're using keys, not secrets.
Related
I have been doing a lot of research but I can't understand where I should save the encryption key in a production environment?
In local environment I have a .env file, but it feels very risky to have the encryption key written there in plain text in a production environment. I could encrypt it but then I just have another key to save somewhere.
I am not using AWS or any other big cloud platform, so I can't use AWS KMS etc.
I have looked into alternatives to AWS KMS, such as Doppler (doppler.com). You can store the key there, but to get the key with their API they use tokens to authenticate the requests, so then I have to store the token somewhere safe.. so it feels like I just running a rat race.
So I really need help here. Where should I store the encryption key? Where would you (and where can you) store it if you were not using any big cloud platform?
I am building an app that uses encryption.
The issue is that I'm not familiar with the best approach to store a private key.
Lets begin with an example:
Messaging apps that have end-to-end encryption, so the sender uses the public key of the receiver to encrypt data and the receiver uses its private key to decrypt it. Right?
But what is the approach to storing this private key?
I mean, if I store this key in a database it is as good as nothing, if my database get hacked then all the private keys are exposed.
Also, if I store the key on the device, there is also the possibility of someone finding the key and owning it.
My question is, what do I do with the private key?
What is the current approach to this problem?
For example, how does telegram stores its user keys securely?
My question is, what do I do with the private key?
You can encrypt the priv key using the Android Keystore System MasterKey, which may request authentication (biometric, device pattern, pin) upon decryption.
KeyGenParameterSpec keyGenParameterSpec = MasterKeys.AES256_GCM_SPEC;
String mainKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec);
iOS has similar mechanism, but you have to search it yourself
I have a use case to encrypt the data while loading from S3 bucket to Snowflake tables. The S3 bucket is enabled with SSE-S3.
The files in S3 is additionally encrypted using KMS key before they are pushed to S3 (which I like to call as double encryption). I wanted to understand how Snowflake works on decryption of these data files. To be specific, is the data in transit (while undergoing auto-ingest) also encrypted.
Secondly, if the external stage in Snowflake is configured with the same KMS key id
encryption = (type = 'AWS_SSE_KMS' kms_key_id = 'xxxx-yyyy'
will Snowflake decrypt the data files and make it readable upon querying the table on which the files are loaded?
Thanks in advance
Snowflake supports either client-side encryption or server-side encryption. Either can be configured to decrypt files staged in S3 buckets.
Client-side encryption:
AWS_CSE: Requires a MASTER_KEY value. The master key must be a 128-bit or 256-bit key in Base64-encoded form.
For more information, see the AWS documentation for client-side encryption. Note that for client-side encryption, Snowflake supports using a master key stored in Snowflake; using a master key stored in AWS Key Management Service (AWS KMS) is not supported.
Server-side encryption:
AWS_SSE_S3: Requires no additional encryption settings.
AWS_SSE_KMS: Accepts an optional KMS_KEY_ID value.
For more information, see the AWS documentation for server-side encryption.
Using AWS Key Management Service (KMS) to manage keys requires configuring an IAM policy. For information, see the KMS documentation.
Details: https://docs.snowflake.com/en/user-guide/data-load-s3-encrypt.html#aws-data-file-encryption
When using the transit secret engine of HashiCorp Vault, the vault has to be called to encrypt data.
Now, I have the situation that I want to encrypt data in an insecure location, where I can't store the credentials for the encryption service. For those situations, asymmetric encryption is the perfect answer. I can use the public key to encrypt the data in the insecure location without calling the vault. But later, I can call the vault from a secure location to decrypt the same data.
From what I see, Vault only supports rsa-2048 and rsa-4096 which can't be used for large data. All other ciphers are symmetric.
Do I misunderstand something here or does HashiCorp only support asymmetric encryption for small data?
Currently, Tokbox's OpenTok supports archiving to Amazon S3. Amazon S3 supports AES-256 encryption at no additional charge. They recently added the ability to submit a user-generated key to encrypt the files with, but the key must come with the PUT request when adding the file to their service. Can I submit an encryption key to Tokbox/OpenTok to provide to Amazon S3 when archiving?
Unfortunately, no, OpenTok archiving doesn't currently accept an encryption key.
Tokbox now offers encrypted archiving as a Premium or Enterprise feature:
https://tokbox.com/blog/introducing-encrypted-archiving/