Skip to main content

Key Management Service

This page describes the ApeiroRA Key Management Service. The Key Management Service (KMS

Key Management Service (KMS) is a secure cloud service that manages cryptographic keys for data encryption, enabling users to easily create, control, and use encryption keys across various applications and services.
) facilitates encryption of data at rest and allows to manage encryption keys for components of the Apeiro Reference Architecture. It is open for integration by third-party components.

Functional Overview

  • Protect root keys with a Hardware Security Module
    A physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing to enhance the security of sensitive data.
     (HSM)
  • Manage software keychains and the root key that protects them
  • Control encryption keys across several platforms and heterogenous infrastructure providers at once
  • Disable root keys to prevent access to encrypted data at rest

Concepts

Protecting data at rest requires encryption keys to encrypt the data and a means to securely store these keys.

Encryption keys can be stored securely in a Hardware Security Module (HSM). It is a specific piece of hardware that provides means to prevent, detect, or respond to (physical) tampering of the device and usually contains dedicated processors for cryptographic operations.

Not all encryption keys are stored directly in an HSM. Instead, encryption keys usually form a hierarchy of keys, also called keychain, where an encryption key is wrapped (i.e. encrypted) by a higher-level encryption key. This process is repeated along the keychain until an encryption key is wrapped by a key that is protected by an HSM. This mechanism allows to store a small number of of encryption keys in the HSM while other encryption keys along the keychain can be stored in a regular storage as a wrapped key (i.e. encrypted).

Encryption keys can be addressed more specifically depending on their usage:

  • Data Encryption Keys (DEKs) are used to encrypt data
  • Key Encryption Keys (KEKs) wrap/encrypt DEKs
  • Root Keys wrap/encrypt KEKs and are stored in an HSM

The concept of a keychain may exist on different levels of abstraction. For example, when looking at a database that supports encryption of data at rest, it may accept one encryption key to encrypt the data. However, in most cases, the database will internally derive additional KEKs and DEKs from that encryption key to form an internal keychain. At the same time, a keychain may exist on the level of the cluster that the database is deployed to, perhaps along with other storage systems. On that level of abstraction, the encryption key that the database expects may just be one of the DEKs of the cluster-level keychain. The cluster-level keychain may eventually ling all storage systems up to one root key, resulting in a single encryption key that is protecting all data of the cluster.

The ApeiroRA Key Management Service takes this concept one step further and applies it to multiple clusters on the same platform or even across heterogenous infrastructure providers. It thereby offers a consistent interface for managing encryption of data at rest.

The encryption keys along the keychain of the ApeiroRA Key Management can be associated with systems. This allows to manage keys and their access either individually (i.e. usually per storage backend) or from a system-centric perspective.

Architecture

The ApeiroRA Key Management Service consists of several logical components:

  • HSM integration allows to connect HSMs from different providers, including on-premise HSMs and Cloud HSM services.

    A selected set of HSM providers is supported out of the box. A plugin mechanism allows to add support for additional HSM providers.

  • Root key management allows to manage root keys that are protected by an HSM.

    Root keys can either be generated by the Key Management Service and stored securely in the HSM. Alternatively, existing key material can be imported into the HSM (Bring your own key) or a key that already exists in the HSM can be used (Hold your own key).

  • Software keychain management allows to manage the hierarchy of keys.

    This includes modifying the assignment of Root Keys to KEKs for wrapping purposes or disabling root keys to prevent access to encrypted data at rest.

  • Infrastructure integration connects the keychain to different infrastructure providers, such as IronCore

    IronCore
    Project IronCore is an open source system for managing compute and storage workloads across multiple providers.
    or CobaltCore
    CobaltCore
    CobaltCore is a reimagined and opinionated OpenStack distribution fully utilizing ApeiroRA. It complements IronCore as an alternative for traditional workloads and ensures backward compatibility.
    .

    Both IronCore and CobaltCore provide block and object storage services. They integrate with the Key Management Service out of the box.

    A plugin mechanism allows to add support for additional infrastructure providers.

ApeiroRA Key Management Service
ApeiroRA Key Management Service