Using KMS for Object Storage Encryption

Introduction

StorReduce can optionally encrypt all traffic to and from the backend Object Store using secure cryptographic keys generated by KMS. Whilst SSL/TLS intrinsically provides encryption in transit, you can optionally utilize the Amazon services to provide encryption-at-rest functionality with StorReduce.

Several encryption-at-rest options are available for use with StorReduce:

  • SSE-S3 for server side encryption at rest with Amazon S3-managed keys. With this option, Amazon maintains a master key, which is in turn used to generate unique data encryption keys and the object is encrypted with the data encryption key using the AES256 block cipher. Your data is secure with this option as retrieval of the data requires access to the master key maintained separately by Amazon to decrypt the data key, which in turn can decrypt the data object.

  • CSE for client-side encryption of data where you apply the encryption key. When using CSE StorReduce requests data keys generated for a particular master key, uses the plain-text key to encrypt the object data and then saves the resulting object alongside the encrypted data key and related metadata.

  • SSE-KMS for server-side encryption at rest using KMS-generated keys. This works in a similar fashion to SSE-S3, except the master key is obtained from the AWS KMS service, which can be specified as the default KMS master key, or one that you provide - which adds the flexibility of using your own key material if you need to meet additional standards of randomness or fine-grained lifecycle management.

With StorReduce, you choose to apply any of these encryption options with the StorReduce dashboard. Alternatively, it is possible for you to configure the usage of server side encryption (SSE-S3 or SSE-KMS) by directly modifying policies pertaining to your S3 bucket.

This guide shows how to enable these options within StorReduce.

Enabling SSE-S3 within StorReduce

When setting up StorReduce, the Settings page contains an option to enable Server Side Encryption as a checkbox. Select this option before saving your settings for the first time.

You may enable Server Side Encryption after writing data to StorReduce; however, only new unique blocks that get added to StorReduce will be encrypted.

SSE S3 checkbox

Enabling CSE or SSE-KMS

Setting up KMS

CSE and SSE-KMS both require the setup of a KMS master key with appropriate permissions.

First, navigate to IAM in AWS:

IAM in AWS Menu

Next, navigate to the Encryption Keys section of IAM:

Encryption Keys in AWS IAM Menu

Opt to create a key in the region at which StorReduce is pointed:

Create KMS Key in Region

Follow the wizard, noting that you have the option to let KMS generate the key material, or upload your own in step 1.

KMS Step 1 of 5 of Wizard

Add any tags you require. We chose to leave these blank for this example.

KMS Step 2 of 5 of Wizard

Select appropriate admin accounts for the master key. NOTE: The permissions do NOT include the right to use the key for StorReduce, this is just for administration purposes only.

KMS Step 3 of 5 of Wizard

Select the account that StorReduce uses to encrypt the key. Please note that if you are using roles, you can leave this blank and later add to the StorReduce role in AWS something like the following:

{ "Effect": "Allow", "Action": [ "kms:GenerateDataKey*", "kms:Decrypt", ], "Resource": [ "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" ] }

KMS Step 4 of 5 of Wizard

Review the policy you are creating from the wizard and click ‘Finish’

KMS Step 5 of 5 of Wizard

Once this is completed, find your key in the Encryption Keys table and copy over the full ARN of the key. E.g.

arn:aws:kms:us-east-1:123123123123:key/2215c039-0cc4-4258-8c6c-857f14cfd9c9

This value can be used to configure either CSE or SSE-KMS

CSE

For CSE, enter the value into the Key Management Service input

CSE input

SSE-KMS

For SSE-KMS, enter the value into the Server Side Encryption - KMS input

SSE-KMS input

Finally… Save StorReduce Settings and Restart StorReduce Server

Click the Save Settings ... button at the bottom of the Settings page. If StorReduce is in a cluster, you will need to restart each of the StorReduce nodes from the command line using sudo storreducectl server restart.

Using KMS in a private VPC over Direct Connect

If KMS service is used in conjunction with AWS Direct Connect and traffic is to not be routed over the internet for KMS, a PrivateLink interface endpoint for KMS may be created. For more information, see here. The value of this endpoint can then be used in the configuration of Settings page of StorReduce below the fields at which the Master Key ID was entered.

Summary

In this document we have explained how to configure the KMS Settings in the StorReduce server. If you have any questions please contact StorReduce Support help@storreduce.com.