Database Backups 101: Cloud Encryption Key Management

Database Backups 101: Cloud Encryption Key Management

Profile picture for user sarojini
Sarojini Devi Nagappan
03 March 2020

Data security is a topic increasing in interest as organisations are moving more and more data (including sensitive data) to a cloud infrastructure. 

Data residing in a cloud environment needs strong protections, among them being strong encryption key management. Encryption is an algorithm used to encrypt data. To decode the encrypted data, you would need the data encryption key to decode the encrypted data, either by a human or an application. 

It is obvious that if anyone has access to the encryption key, it is like providing direct access to the data. Because of this fact, it is important to keep data separated from the encryption keys. This is a key part of several compliance and data protection regulations, as well as a step to take to meet the best practices outlined by Cloud Security Alliance.

Encryption Key Management

Key management is a method of separating the data and the encryption key for security purposes. You can have very strong encryption, but if it lacks a key management process, the data is still vulnerable to security attacks. This type of key management involves generating, exchanging, storing, destroying, and replacement of encryption keys. 

There are two types of keys; symmetric and asymmetric keys. A symmetric key is used for data at rest where the same encryption key will be used to encrypt and decrypt a text. Asymmetric keys are used for data in transit and require a pair of keys for each transaction namely the private and public key. Public keys, available to all are used to encrypt the data and private keys are used to decrypt the keys and should be only accessible to anyone who has rights to view the data. 

Symmetric Key Management

When a user makes a request for an encrypted data, a data encryption key (DEK) request will be sent by the application or data storage to the key management application program interface (KM API). This API is responsible to retrieve the data encryption key from the key management server and pass it back to KM API upon certification validation. The KM API will send a certificate to the Key Manager(KM) for validation. 

Upon certificate verification, the KM will send its certification to KM API for acceptance and authentication. Next, the KM decrypts the data encryption key to the KM API over an encrypted session. KM API will then send this DEK to the application and then the application sends the plain text to the user.


Asymmetric Key Management

The sender and receiver have to verify each other’s certificate, then the public keys are exchanged between both parties. The sender creates a symmetric encryption key for one session and encrypts the data to be sent. Next, the symmetric encryption key is encrypted with the public key. This encrypted key and data are then sent to the receiver. The receiver will need to decrypt the encrypted symmetric key with a private key and use the decrypted symmetric key to decrypt the data.


Securing the Encryption Keys on the Cloud

Protecting the key is all about limiting authorised access to the encryption keys. With more data residing on the cloud, it is the cloud providers or the data owners responsibility to secure the data. 

Cloud providers should allow their customers to bring encrypted or offer encryption as part of their services. Either way key management has to be handled by the cloud provides as it is an important part of compliance for data security. Hardware security module (HSM) as a service or a key management service (KMS) are some ways to manage encryption key management to protect encrypted cloud data.

Hardware Security Module(HSM) 

The hardware security module is a physical device to manage the security of the key for authentication and provides crypto processing. This plug-in card of device can be attached to a network or computer which makes it a good solution for on-premise data centers. HSM protects the whole life cycle of the encryption key and it complies with FIPS 140-2 Level 3 certification. Having said all the good points, it is not a perfect solution for the cloud environment because of the following concerns

  • Location of the HSM: should the user use the HSM on the cloud, or should the cloud use the HSM on-premise
  • Latency: If the HSM is on-premise and data on the cloud, this combination might cause latency and impact encryption and decryption process
  • HSM management: If you have multiple cloud providers, you might need to have different HSM management tool for each of them

Key Management Services (KMS)

KMS offers centralised encryption key management and allows import and export of existing keys. It is a good solution for the cloud environment because it eliminates the cost and overhead of managing on-premises HSM solution. The only threat would be the key and data share the same location at best it should be separated to increase the level of security. KMS is also the best solution if the organization has only one cloud service provider, it does not work well with a multi-cloud environment.

Hardware Security Module(HSM) as-a-Service

KMS has its restriction on the heterogeneous cloud environment and HSM works best for on-premises encryption key management. HSM as a service gives key management for the cloud and on-premises meaning you don't have to worry about locations or latency and it does not compromise on security because the data and encryption key can be at different locations. What's more, HSM as a service is also cloud-neutral, so it works well with a heterogeneous cloud environment.


Regardless of the type of cloud services adopted by an organisation, whether it is an IaaS, PaaS or SaaS cloud security is important and so is the encryption key management. It is also an important attribute for compliance. 

The idea of key management would be to protect the encryption key as this key enables access to encrypted data. The organisation should be asking the cloud service providers on the tools and solutions used to store the keys, how and who access the key and what is the recovery plan for the key. The last question would be if there are multiple keys, how are the keys are distributed and the method used to manage the entire life cycle of these keys. 

A good cloud encryption key management should be cloud-neutral, scalable, separates the key and data, globally available and able to give on-premises HMS security and also available in a distributed cloud environment. Azure Key Vault, AWS Key Management Services, HashiCorp Vault, and AWS CloudHSM are some of the leading encryption key management solutions. These software enforces key storage and distribution policies and has key storage and backup functionality.