Geek Logbook

Tech sea log book

Data Encryption at AWS S3

What is Encryption at rest?

Encryption works by using an algorithm to convert plain text into ciphertext. This new ciphertext will be unreadable if it falls into the wrong hands. There are many encryptions’ processes. To decrypt the sensible information, you need the key. The encryption algorithm uses a key to encrypt the data and the same, or another key depending which algorithm are you using, to decrypt it. If the same key is used for both encryption and decryption, it is symmetric encryption; otherwise, it is asymmetric encryption.

Talking about data, that is the heart of the thing you want to encrypt. Now let’s distinguish between data in motion and data at rest. The first one is data you most likely use at daily basis. When we talk about data in motion, we are talking about data that could be used by other applications daily. However, there are some disagreements about where is located the limit between data at rest vs in motion. The differences between in use vs at rest depends where is the layer you are located to analyze networks, CPUs, RAM memory, etcetera. For example, an email is considered data in transit, while a file stored on a hard drive is an example of data at rest.

Being clarify these different points of view about data at rest, the importance of this data is that we need to protect it from others process or people which want to see and are not authorized.

What Happens in AWS?

In the context of Amazon Web Services, specifically in S3, data protection applies also for data in transit (data which travels to and from amazon S3) and at rest (while is stored on Amazon S3).

There are two ways to protect data in transit:

  1. Server-side encryption: Encrypt the data before saving the on disk in AWS data centers and then decrypt the objects when you download them.
  2. Client-side encryption

In other hand, for protecting data at rest in Amazon S3 we have the following options.

  1. Secure Socket Layer/Transport Layer Security (SSL/TLS)
    • Server-side encryption with Amazon S3 managed keys (SSE-S3) is the default encryption configuration for every bucket in Amazon S3.
    • Other options are:
      • Specifying server-side encryption with AWS KMS (SSE-KMS)
      • Specifying dual-layer server-side encryption with AWS KMS keys (DSSE-KMS)
      • Specifying server-side encryption with customer-provided keys (SSE-C)
  2. Client-side encryption.

In general, these tools are very useful. SSL/TLS is primarily used for securing data in transit, while server-side encryption options are used to protect data at rest in Amazon S3.

Sources:

What is Encryption at Rest? Explained for Security Beginners

What Is Encryption at Rest, and Why Is It Important for Your Business?

Protecting data with encryption

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *.

*
*