KMS Server side encryption
Before understanding Server side encryption we need to understand difference between Enceryption at rest and Encryption at transit
What is Encryption at Rest?
-> Encryption at rest is encrypting your data when it is resting at the storage.
Benifits : Your data is encrypted and safe so that even some one hacks the cloud storage / harddisk went to wrong hands your data remains un leaked
What is Encryption at Transit?
This is when the data is in travel from the stored hard disk to the client machine who requested data.
Encryption at Transit are handled using SSL certificate and tunning
Encryption in AWS
In AWS any service where ever you store data they offer you encryption at rest feasabilty.
The service where you store data can be any , it can be EBS, EFS , S3 all service provides you option to encrypt at rest.
Types of Encryption at rest
Encyption at rest can be further handled in multiple ways
Method 1 : Client side Encryption
In this option AWS has nothing to do , before uploading data to store in AWS service the user encrypts the data and then directly uploads the encrypted data.
Method 2 : Server side Encryption
This is where AWS performs the action to encrypt your data and achieve encryption at rest.
KMS (Key Management Service ) is the service used to manage the encryption key that to encrypt the data.
KMS can be managed in 2 ways
Type 1 : AWS Managed - AWS creates and manages the KMS key where the user has no rights to delete it
Type 2: Customer Managed - User creates and set key policies and has full rights on managing key. You can also set auto key rotation so that the encryption key get auto renewed without any manual action and the security is assured.
Thanks for reading till end. In our next post we will see how to enable encryption at rest in S3 and EBS
Hope you find this useful. Give 👍 for more posts from us. We also run a youtube channel TechPechu TechPechu in Tamil( Indian regional Language) do subscribe as moral support! 😀