Intro:
twtech deep into Client-Side Encryption (CSE) in AWS.
- This complements Server-Side Encryption (SSE).
- However, Client-Side Encryption gives twtech full control of encryption keys and the
encryption process before data even reaches AWS.
- In this scenario, twtech does not trust the server to handle the encryption/decryption
process.
The concept: Client-Side
Encryption
- Client-Side Encryption (CSE) means that data is encrypted by twtech application before it is sent to AWS, and data decrypted by twtech only after it’s retrieved.
- AWS services store and transmit only ciphertext, never plaintext.
NB:
AWS never has access to twtech unencrypted
data or encryption keys.
Key Concepts
1. Data Encryption Key (DEK)
- Symmetric key used to encrypt twtech data locally.
- Generated and managed by twtech (or optionally by AWS SDK with KMS).
2. Master Key (CMK
/ Customer Key)
- Used to encrypt (wrap) the DEK.
- Stored securely in AWS KMS, CloudHSM, or
your own key management system.
3. Envelope Encryption
Same as with SSE — but all happens client-side:
- Generate a DEK
- Encrypt data locally using DEK
- Encrypt DEK with Master Key
- Upload:
- Ciphertext data
- Encrypted DEK (metadata)
Types of Client-Side Encryption in AWS
|
Encryption Mode |
Key Source |
Managed By |
Use Case |
|
AWS SDK CSE (with KMS) |
KMS CMK |
AWS KMS + SDK |
Easy hybrid control (twtech manage CMK, SDK handles DEK) |
|
AWS SDK CSE (Custom Keys) |
Locally managed |
twtech |
Full key control, no AWS key
dependency |
|
S3 Encryption Client
(deprecated) |
Local key/KMS |
twtech/AWS |
Used before AWS Encryption SDK |
|
AWS Encryption SDK |
Local key/KMS |
twtech/AWS |
Current best practice for
client-side encryption |
AWS Encryption SDK
A client library designed for application-level encryption that:
- Uses envelope encryption automatically
- Can integrate with AWS KMS or local keys
- Provides data key caching, key commitment,
and multi-key wrapping
Supported languages: Python, Java, JavaScript, C, and more.
Encryption/Decryption
Flow (Client-Side Encryption)
Step-by-Step Flow (with
AWS Encryption SDK + KMS)
Encryption (Write
Path):
- Application requests encryption.
- AWS Encryption SDK:
- Calls KMS GenerateDataKey to get:
- Plaintext DEK
- Encrypted DEK (ciphertext
key)
- Encrypts data locally using DEK (AES-256-GCM).
- Stores or uploads:
- Encrypted data
- Encrypted DEK
- Encryption context metadata
- Discards plaintext DEK immediately.
Decryption (Read Path):
- Application downloads encrypted object + metadata.
- SDK extracts the encrypted DEK.
- Calls KMS Decrypt to get plaintext DEK.
- Decrypts the ciphertext locally.
- Discards plaintext DEK again after use.
Example: S3 Client-Side Encryption Flow
AWS KMS APIs Used (if
KMS-backed)
- GenerateDataKey
- Decrypt
- Encrypt
- ReEncrypt
- DescribeKey
- ListKeys
Security
Characteristics
|
Feature |
Client-Side Encryption |
Server-Side Encryption |
|
Key control |
Full customer control |
AWS-managed (optionally customer-managed CMK) |
|
Encryption location |
In application (client) |
In AWS service |
|
AWS access to
plaintext |
❌ Never |
✅ Temporarily (before storage) |
|
Performance overhead |
Higher (client CPU/memory) |
Minimal |
|
Compliance |
Strongest isolation |
Meets AWS compliance standards |
Advantages
- Zero trust on AWS storage — AWS never sees plaintext.
- Meets strict regulatory or internal compliance (FIPS, GDPR, PCI-DSS).
- Integrates seamlessly with AWS Encryption SDK and KMS.
- Portable — can be encrypted before uploading to any storage (S3, EFS, on-prem).
Challenges
- Key management complexity — must handle secure rotation and backup.
- Client-side performance overhead — encryption/decryption done locally.
- Loss of key = loss of data — no recovery if the key is lost.
- No AWS-side features like S3 Select or Athena on encrypted data.
Example Architecture
Best Practices
- Use AWS Encryption SDK instead of manual crypto.
- Enforce Encryption Contexts — prevent key misuse.
- Cache data keys securely using the Data Key Caching feature.
- Regularly rotate CMKs and archive old keys.
- Log all KMS operations in CloudTrail.
- Use envelope encryption for scalability.
No comments:
Post a Comment