Monday, October 13, 2025

Server-side encryption at rest | Deep Dive.


twtech deep into Server-Side Encryption (SSE) in AWS

Scope:

  •        Overview,
  •        Core Components,
  •        Types of Server-Side Encryption,
  •        AWS Services Using SSE,
  •        Encryption/Decryption Flow (SSE-KMS Example),
  •        KMS (key Management Service) Integration Details,
  •        Envelope-Encryption-Architecture,
  •        Best Practices,
  •       SSE (Server-Side Encryption) vs. CSE (Client-Side Encryption).

 Overview

  • Server-Side Encryption (SSE) means AWS encrypts twtech data at rest on its behalf, before saving it to disk (e.g., in S3, EBS, RDS, DynamoDB, etc.).
  • AWS decrypts data transparently when twtech accesses it.
  • twtech doesn’t have to handle encryption/decryption in its application code — AWS does the encryption/decryption on the server side.

 Core Components

1. Data Encryption Keys (DEK)

  • Each object or resource (e.g., S3 object, EBS volume) is encrypted using a unique symmetric key — the DEK.
  • AWS never stores your data unencrypted; DEKs are protected by wrapping them with a Customer Master Key (CMK).

2. Customer Master Key (CMK) / KMS Key

  • Managed in AWS Key Management Service (KMS).
  • Used to encrypt (wrap) and decrypt (unwrap) the DEK.
  • CMKs are rotated, audited, and secured in HSMs (FIPS 140-2 Level 3).

3. Envelope Encryption

AWS uses envelope encryption to optimize performance:

  • Generate a unique DEK for each object.
  • Encrypt the data using that DEK.
  • Encrypt (wrap) the DEK with a CMK.
  • Store both:
    • The encrypted data
    • The encrypted DEK (ciphertext key) alongside it

 Types of Server-Side Encryption

Encryption Type

Key Managed By

Description

Example Use Case

SSE-S3

AWS S3

AWS manages the keys automatically

Default for S3 buckets

SSE-KMS

AWS KMS

Uses KMS CMKs; gives you audit control, rotation, and grants

Compliance & audit-heavy environments

SSE-C

Customer

twtech supplies the encryption key with each request

When you must fully manage keys yourself

 AWS Services Using SSE

Service

Encryption Mechanism

Key Management

Amazon S3

SSE-S3 / SSE-KMS / SSE-C

S3 or KMS

Amazon EBS

AES-256 (via KMS)

KMS CMK

Amazon RDS

Transparent Data Encryption (TDE) or KMS

KMS CMK

Amazon DynamoDB

AES-256 (via KMS)

KMS CMK

Amazon SQS / SNS / Lambda

KMS

KMS CMK

 Encryption/Decryption Flow (SSE-KMS Example)

Let’s go step-by-step through S3 with SSE-KMS:

1. Upload (Write Path)

  1. App uploads object to S3 with SSE-KMS enabled.
  2. S3 calls KMS GenerateDataKey API:
    • Returns:
      • Plaintext DEK
      • Encrypted DEK (ciphertext key) (wrapped with CMK)
  3. S3 encrypts the object data with the plaintext DEK (AES-256).
  4. S3 stores:
    • The encrypted data
    • The encrypted DEK (ciphertext key)
    • Metadata indicating which CMK was used
  5. The plaintext DEK is discarded immediately.

2. Read (Decrypt Path)

  1. App requests the object.
  2. S3 retrieves:
    • Encrypted object data
    • Encrypted DEK
  3. S3 sends the encrypted DEK to KMS (Decrypt API).
  4. KMS returns the plaintext DEK (if IAM permissions allow).
  5. S3 decrypts the data with the DEK and returns plaintext to the app.
  6. The plaintext DEK is again discarded after use.

 KMS (key Management Service) Integration Details

KMS APIs involved in SSE:

  • GenerateDataKey – Creates a DEK (plaintext + encrypted copy)
  • Encrypt – Encrypts plaintext data or keys
  • Decrypt – Decrypts encrypted DEKs
  • ReEncrypt – Re-wraps data keys with a new CMK
  • DescribeKey – Fetches metadata and policy details
  • ListKeys / ListAliases – Key management and discovery

CMK (Customer-Managed Keys) Policies

  • Control which IAM principals can:
    • Use the key (kms:Encrypt, kms:Decrypt)
    • Administer it (kms:CreateKey, kms:ScheduleKeyDeletion)                 

# Envelope-Encryption-Architecture.jpg


 Best Practices

Use SSE-KMS for most workloads — strong audit and access control.
Enable bucket default encryption (S3) to enforce encryption at upload.
Use key policies + IAM policies to restrict usage.
Rotate CMKs automatically (yearly by default).
Enable CloudTrail logging for all KMS API calls.
Limit KMS grants and aliases to prevent privilege escalation.

SSE (Server-Side Encryption) vsCSE (Client-Side Encryption).

Aspect

Server-Side Encryption

Client-Side Encryption

Encryption location

AWS Service

Application

Key control

AWS / twtech (via KMS)

Full customer control

Auditability

High (via CloudTrail, KMS)

Depends on implementation

Performance

Optimized / transparent

App-level overhead

Compliance

Built into AWS services

Custom implementation required

 

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...