KMS 2 Flashcards
Data Encryption Keys
How do you get around the 4 kb limit on plaintext?
Data Encryption Keys: a key you take away from KMS and use elsewhere (like EBS)
Data Encryption Keys
Where do you create a DEK?
Have to use the API (not available on the console)
Data Encryption Keys
Are DEKs symmetric or asymmetric?
Either! Separate APIs for both
Data Encryption Keys
What do you get back when you call GenerateDataKey?
Plaintext version of the DEK and a version encrypted with the KMS key that created it
Data Encryption Keys
Where are DEKs stored?
Nowhere (at lest not in KMS)
Data Encryption Keys
What’s the typical use case after calling GenerateDataKey?
Use plaintext to encrypt something, store ciphertext and encrypted key together for later use
Data Encryption Keys
What happens to DEKs if you rotate the KMS key that created them?
Encrypted DEKs aren’t changed. They are out of the control of KMS.
Data Encryption Keys
How does KMS encrypt using DEKs?
It doesn’t: that’s the whole point of DEKs: you take the key elsewhere and do it yourself
Data Encryption Keys
How do you decrypt something with a DEK?
Pass encrypted DEK to KMS, get plaintext key, use it to decrypt data
Key Rotation
Can you auto-rotate AWS Managed keys?
Yes
Key Rotation
Can you turn-off auto-rotate for AWS Managed Keys?
No
Key Rotation
Can you auto-rotate Customer Managed Keys?
Only ones with AWS-provided key material
Key Rotation
Can you turn off auto-rotate for customer managed keys?
Yes
Key Rotation
How often do keys auto-rotate, if enabled?
Once every year
Key Rotation
What happens when a KMS key is auto-rotated?
KMS keeps all previous key material so previously-encrypted material can still be decrypted