Skip to content

Cloud Encryption at Rest — KMS, HSM & Server-Side Encryption

DodaTech Updated 2026-06-24 4 min read

In this tutorial, you'll learn about Cloud Encryption at Rest. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Cloud encryption at rest protects stored data by rendering it unreadable without the correct decryption key, with AWS KMS, Azure Key Vault, and GCP Cloud KMS providing the key management infrastructure.

What You Will Learn

How to implement encryption at rest using provider-managed keys, customer-managed keys, and HSM-backed keys across all three major clouds.

Why It Matters

Regulatory frameworks like SOC 2, HIPAA, and PCI DSS require encryption at rest. Without it, a stolen storage device or misconfigured bucket leaks plaintext data.

Real-World Use

DodaZIP archives sensitive documents using AWS S3 with SSE-KMS and automatic key rotation. Even if an attacker gains bucket access, the data remains encrypted unless they also compromise the KMS key.

Server-Side Encryption Options

Every cloud provider offers three tiers of encryption at rest:

  1. Server-side encryption with provider-managed keys — no customer effort, no control
  2. Server-side encryption with customer-managed keys — you create and control the key
  3. Server-side encryption with customer-provided keys — you supply the key with every request

Encryption Architecture

flowchart LR
  Data[Raw Data] --> Encrypt[Encryption Engine]
  KMS[KMS Key] --> Encrypt
  Encrypt --> Ciphertext[Encrypted Data]
  Ciphertext --> Storage[(Cloud Storage)]
  
  Storage --> Decrypt[Decryption Engine]
  KMS --> Decrypt
  Decrypt --> Plaintext[Decrypted Data]
  
  style KMS fill:#f90,color:#fff

AWS KMS

AWS Key Management Service manages encryption keys for over 50 AWS services. You can use the default AWS-managed key or create your own customer-managed key (CMK).

# Create a symmetric customer-managed key
aws kms create-key --description "Production data encryption key"
# Output:
# {
#   "KeyMetadata": {
#     "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
#     "Arn": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
#     "KeyManager": "CUSTOMER",
#     "KeyState": "Enabled"
#   }
# }

# Enable automatic annual rotation
aws kms enable-key-rotation --key-id 1234abcd-12ab-34cd-56ef-1234567890ab

# Encrypt a file using KMS
aws kms encrypt \
  --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
  --plaintext fileb://secret.txt \
  --output text \
  --query CiphertextBlob > secret.encrypted

Azure Key Vault

Azure Key Vault stores keys, secrets, and certificates in a hardware security module (HSM) backed vault. Keys never leave the HSM boundary.

# Create a Key Vault with soft-delete and purge protection
az keyvault create \
  --name prod-keyvault-01 \
  --resource-group prod-rg \
  --enable-soft-delete true \
  --enable-purge-protection true

# Add an encryption key
az keyvault key create \
  --vault-name prod-keyvault-01 \
  --name data-key \
  --protection hsm \
  --kty RSA-HSM \
  --size 4096

# Encrypt a file using Key Vault key
az keyvault key encrypt \
  --vault-name prod-keyvault-01 \
  --name data-key \
  --algorithm RSA-OAEP \
  --value "$(cat secret.txt | base64)"
# Output:
# {
#   "result": "encryptedBase64String==",
#   "key": {"kid": "https://prod-keyvault-01.vault.azure.net/keys/data-key/key-version"}
# }

GCP Cloud KMS

GCP Cloud KMS provides key management integrated with Cloud Storage, BigQuery, and Compute Engine. Keys can be generated in software or via an HSM.

# Create a key ring and encryption key
gcloud kms keyrings create prod-keyring --location global

gcloud kms keys create data-key \
  --location global \
  --keyring prod-keyring \
  --purpose encryption \
  --protection-level hsm

# Encrypt a file
gcloud kms encrypt \
  --location global \
  --keyring prod-keyring \
  --key data-key \
  --plaintext-file secret.txt \
  --ciphertext-file secret.encrypted

Key Rotation Strategy

Rotate customer-managed keys annually at minimum. Both AWS and GCP support automatic rotation. Azure Key Vault requires a manual or scripted approach.

Common Mistakes

  1. Using provider-managed keys for regulated data: Provider-managed keys do not meet Compliance requirements that demand customer control over encryption keys.
  2. Disabling key rotation: Keys that never rotate increase the Blast Radius if a key is compromised. Enable automatic rotation wherever supported.
  3. Storing keys in the same account as data: If an attacker compromises the account, both data and keys are accessible. Use a separate account for key management.
  4. Forgetting to back up keys: If you lose a customer-managed key, encrypted data is permanently unrecoverable. Export and store key material securely.
  5. Not enabling key deletion protection: Accidental key deletion can cause widespread data loss. Enable soft-delete and purge protection in all providers.

Practice Questions

  1. What is the difference between AWS SSE-S3 and SSE-KMS?
  2. How does Azure Key Vault HSM protection differ from software-protected keys?
  3. What GCP Cloud KMS protection level uses hardware security modules?
  4. Why is automatic key rotation important for security?
  5. How can you recover data if a customer-managed key is accidentally deleted?

Challenge

Design an encryption at rest Strategy for a Multi-Cloud data pipeline. Data enters via AWS S3, is processed on Azure, and is archived in GCP Cloud Storage. Use customer-managed keys in each provider with automatic rotation. Write the CLI commands to create keys in all three clouds and configure cross-cloud key access.

FAQ

What is encryption at rest in the cloud?

Encryption that protects data stored on disk or in cloud storage services, making it unreadable without the correct key.

What is the difference between SSE-S3 and SSE-KMS?

SSE-S3 uses AES-256 keys managed by AWS. SSE-KMS uses keys managed in AWS KMS with separate permissions and audit trails.

Can I use my own key with Azure Key Vault?

Yes. Azure supports bring-your-own-key (BYOK) where you generate and transfer keys to the Key Vault HSM.

Does GCP Cloud KMS support automatic rotation?

Yes. Cloud KMS can rotate keys automatically based on a schedule you define.

What happens if I lose my customer-managed key?

Data encrypted under that key becomes permanently unrecoverable. Always back up key material and use multi-region key storage.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro