Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I highly second the people saying KMS (AWS KMS, Google KMS, or KeyVault).

* The pricing for just storing keys is incredibly cheap.

* At least with Google KMS you can't delete the keys without a 24 hour waiting period (and you can alert on the deletion attempt), so that's a huge safeguard.

* You get key access auditing out of the box.



AWS KMS also enforces a waiting period of between 7 and 30 days before it will let you delete a key.

There’s also a feature you can enable that automatically rotates your key once a year. KMS is great!


Given the keys never leave the KMS hardware encryption module, are you at all concerned that all your data will be destroyed if you lose access to KMS for any reason? That's what has always given me pause when I consider KMS. Or do KMS users just take on faith that AWS will always be there?

Why do you like their auto-rotation? The keys that are rotated out are not never disabled, so I don't really understand the benefit. In what scenario would their auto-rotation improve security?


> Or do KMS users just take on faith that AWS will always be there?

I don't take on faith that they'll always be there, but I do believe that if for whatever (extremely highly unlikely) reason they did go away that they'd make it possible to get my keys, or give me enough notice so I could re-encrypt with other keys.

Face it, when running a business there is a ton of trust you have to put in 3rd parties (banks, insurers, your employees, the government, etc.) Yes, you should always evaluate the trustworthiness of 3rd parties, but AWS going away and deleting my keys is probably #6327 of things I worry about.


> if for whatever (extremely highly unlikely) reason they did go away that they'd make it possible to get my keys,

It is a very common design criteria for a HSM to not be able to do that, no matter how willing.


This is fine if you're committed to using (say) AWS KMS for your encryption needs as a service with its per-API-call pricing.

The costs of that obviously scale in a completely different way from the per-key storage costs (which are actually zero, I think).


Google's KMS pricing structure is $0.06/key/month + $0.03/10,000 encrypts/decrypts [0].

At $0.06/key/month, that's practically free for most reasonable use cases. For example, if there's 10k secrets that's $7,200/year.

If you encrypt/decrypt your secrets 1 million times per day (~11.6 times/s), the access charges would be $1,095/year (1 million operations/day * 365 days/year * $0.03 / 10,000 operations).

[0]: https://cloud.google.com/kms


If you use the AWS Encryption SDK, you can cache your data keys and reduce your calls to KMS: https://docs.aws.amazon.com/encryption-sdk/latest/developer-...


Definitely! And it depends on what key you're storing, but if you use AWS Secrets Manager, you can setup automatic key rotation to run periodically.


Can you easily set up policies that prevent deletion of keys?


Yep: https://asecure.cloud/a/scp_kms_delete_keys/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: