Use across multiple regions

[CameronGo]

I'm curious to know how you might be addressing the need to have systems across multiple regions. We use one region for primary and another as a sort of warm recovery site with read replicas, etc. One challenge with secrets is that the KMS CMK is locked to one region. Ive entertained the notion of importing a CMK into KMS for this reason so that I could have the same key in both regions, but there are some apparent drawbacks to importing your own key.

I'd love to hear any approaches you are using in this respect.

[Ryan Lane]

Hey Cameron,

There's a few options here, and you've identified one, which is to importing the same key material into KMS keys in multi-regions. It's generally a pretty good option, because it means if you replicate data from one region to another, you don't have to do the decrypt/reencrypt dance.

The next option is to stream the data cross-region using dynamo streams, where you decrypt and reencrypt the data. Let's say for instance you're in us-east-1 and us-west-2, and your primary is in us-east-1. You can enable dynamo streams and have a worker in us-west-2 that reads the stream, decrypts the at-rest data using the key in us-east-1 and encrypts it using the key in us-west-1, then writes it into the dynamo database in us-west-2. Now your data is sync'd between the two and you're ready at any point to use this as a read-only in us-west-2, or to failover to it as a primary.

Something that slightly throws a wrench into this is a new feature of confidant, called blind-credentials. It's specifically "server blinded secrets", where secrets are encrypted by end-users from the CLI using KMS, with an encryption context that only allows the target to decrypt it. In this situation you need to ensure you encrypt the blind-credential in every region before it's written to confidant. In this situation you can just replicate the data and it'll work.

Another option is to have a confidant in each region, where neither sync to each other and users update both independently. I'm not a huge fan of this option because it makes it likely that someone will forget to update one region.

Another option is to run confidant in us-west-2, with authentication occurring in that region, but its at-rest key and dynamodb backend pointed at us-east-1. This is useful in the cases where you have regions that aren't used for failover, but are needed for CDN or TLS termination purposes. In this case if your primary regions go down, your other regions will fail anyway, so it's fine if confidant is colocated there to handle auth and to ensure you don't need to expose confidant cross-region.

We're likely to add some native support for the dynamo stream option in the future.

- Ryan

On Wed, Aug 31, 2016 at 12:21 AM, CameronGo <livedr...@gmail.com> wrote:

I'm curious to know how you might be addressing the need to have systems across multiple regions.  We use one region for primary and another as a sort of warm recovery site with read replicas, etc.  One challenge with secrets is that the KMS CMK is locked to one region.  Ive entertained the notion of importing a CMK into KMS for this reason so that I could have the same key in both regions, but there are some apparent drawbacks to importing your own key.

I'd love to hear any approaches you are using in this respect.

--
You received this message because you are subscribed to the Google Groups "confidant-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to confidant-users+unsubscribe@googlegroups.com.
To post to this group, send email to confidant-users@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/confidant-users/e19c8f2f-45b4-4032-a061-0aceb2904c1b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Cameron Gocke]

Interesting options.  Thanks for all of the info.  I'll need to digest that a bit.

To unsubscribe from this group and stop receiving emails from it, send an email to confidant-use...@googlegroups.com.
To post to this group, send email to confida...@googlegroups.com.