Advice for using AWS HSM for encrypting secrets

49 views
Skip to first unread message

Michael

unread,
Jun 12, 2020, 6:31:56 AM6/12/20
to keywhiz-users
Hi,

I would like to use AWS to encrypt our secrets. 
I am not a crypto expert.

public ContentCryptographer(@Derivation SecretKey key,
    @Derivation Provider derivationProvider,
    @Encryption Provider encryptionProvider, SecureRandom random)

1) Do I replace the jceks derivation keystore with cloud hsm from AWS KMS?

I am unsure of how this would work with encrypting a secret?
Does the derivation provider call KMS to derive the secret based on a identifier and my master key stored in KMS? 
Assume we use that derived key then to encrypt the data? If that is the case do we cache the 
derived secret in Keywhiz to make decryption fast? 

2) All the encryption happens here.
public SecretKey deriveKey(int blockSize, String info) {
    Hkdf hkdf = Hkdf.usingProvider(derivationProvider); --> Does this make an AWS call
    byte[] infoBytes = info.getBytes(UTF_8);
    byte[] derivedKeyBytes = hkdf.expand(key, infoBytes, blockSize);
    return new SecretKeySpec(derivedKeyBytes, KEY_ALGORITHM);
  }


  private byte[] gcm(Mode mode, String info, byte[] nonce, byte[] data) {
    try {
      Cipher cipher = Cipher.getInstance(ENCRYPTION_ALGORITHM, encryptionProvider);
      SecretKey derivedKey = deriveKey(cipher.getBlockSize(), info);
      .....
  }

I could be totally off the mark but thanks for any help





Reply all
Reply to author
Forward
0 new messages