Encryption SDK Flashcards
Encryption SDK
What is the Encryption SDK (ENCSDK)?
Open-source library from AWS
Encryption SDK
Value prop of ENCSDK?
Hides boring details about using keys and DEKs
Encryption SDK
What keys does ENCSDK work with?
DEKs and wrapping keys
Encryption SDK
What are wrapping keys?
Keys that encrypt your DEKs
Encryption SDK
What are some examples of things ENCSDK hides?
Message formatting, creating and encrypting DEKs with wrapper keys
Encryption SDK
How does ENCSDK handle DEKs?
Uses a unique DEK for every operation
Encryption SDK
What are the rough limits for calling KMS?
Thousands of calls per section, shared across different regions
Encryption SDK
What is Data Key Caching?
Re-use DEKs to reduce the number of KMS calls
Encryption SDK
How do you set up Data Key Caching?
Set thresholds like max age and max bytes encrypted before a DEK expires
Encryption SDK
Where are DEKs cached?
In-memory only
Encryption SDK
What’s the fancy term for Data Key Caching?
Cryptographic Materials Cache (CMM)
Encryption SDK
Why isn’t ENCSDK built-into KMS or AWS SDK?
It isn’t tied to KMS, can use it independently of AWS