Cloud Encryption at Rest — KMS, HSM & Server-Side Encryption
In this tutorial, you'll learn about Cloud Encryption at Rest. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
Cloud encryption at rest protects stored data by rendering it unreadable without the correct decryption key, with AWS KMS, Azure Key Vault, and GCP Cloud KMS providing the key management infrastructure.
What You Will Learn
How to implement encryption at rest using provider-managed keys, customer-managed keys, and HSM-backed keys across all three major clouds.
Why It Matters
Regulatory frameworks like SOC 2, HIPAA, and PCI DSS require encryption at rest. Without it, a stolen storage device or misconfigured bucket leaks plaintext data.
Real-World Use
DodaZIP archives sensitive documents using AWS S3 with SSE-KMS and automatic key rotation. Even if an attacker gains bucket access, the data remains encrypted unless they also compromise the KMS key.
Server-Side Encryption Options
Every cloud provider offers three tiers of encryption at rest:
- Server-side encryption with provider-managed keys — no customer effort, no control
- Server-side encryption with customer-managed keys — you create and control the key
- Server-side encryption with customer-provided keys — you supply the key with every request
Encryption Architecture
flowchart LR Data[Raw Data] --> Encrypt[Encryption Engine] KMS[KMS Key] --> Encrypt Encrypt --> Ciphertext[Encrypted Data] Ciphertext --> Storage[(Cloud Storage)] Storage --> Decrypt[Decryption Engine] KMS --> Decrypt Decrypt --> Plaintext[Decrypted Data] style KMS fill:#f90,color:#fff
AWS KMS
AWS Key Management Service manages encryption keys for over 50 AWS services. You can use the default AWS-managed key or create your own customer-managed key (CMK).
# Create a symmetric customer-managed key
aws kms create-key --description "Production data encryption key"
# Output:
# {
# "KeyMetadata": {
# "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
# "Arn": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
# "KeyManager": "CUSTOMER",
# "KeyState": "Enabled"
# }
# }
# Enable automatic annual rotation
aws kms enable-key-rotation --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
# Encrypt a file using KMS
aws kms encrypt \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
--plaintext fileb://secret.txt \
--output text \
--query CiphertextBlob > secret.encrypted
Azure Key Vault
Azure Key Vault stores keys, secrets, and certificates in a hardware security module (HSM) backed vault. Keys never leave the HSM boundary.
# Create a Key Vault with soft-delete and purge protection
az keyvault create \
--name prod-keyvault-01 \
--resource-group prod-rg \
--enable-soft-delete true \
--enable-purge-protection true
# Add an encryption key
az keyvault key create \
--vault-name prod-keyvault-01 \
--name data-key \
--protection hsm \
--kty RSA-HSM \
--size 4096
# Encrypt a file using Key Vault key
az keyvault key encrypt \
--vault-name prod-keyvault-01 \
--name data-key \
--algorithm RSA-OAEP \
--value "$(cat secret.txt | base64)"
# Output:
# {
# "result": "encryptedBase64String==",
# "key": {"kid": "https://prod-keyvault-01.vault.azure.net/keys/data-key/key-version"}
# }
GCP Cloud KMS
GCP Cloud KMS provides key management integrated with Cloud Storage, BigQuery, and Compute Engine. Keys can be generated in software or via an HSM.
# Create a key ring and encryption key
gcloud kms keyrings create prod-keyring --location global
gcloud kms keys create data-key \
--location global \
--keyring prod-keyring \
--purpose encryption \
--protection-level hsm
# Encrypt a file
gcloud kms encrypt \
--location global \
--keyring prod-keyring \
--key data-key \
--plaintext-file secret.txt \
--ciphertext-file secret.encrypted
Key Rotation Strategy
Rotate customer-managed keys annually at minimum. Both AWS and GCP support automatic rotation. Azure Key Vault requires a manual or scripted approach.
Common Mistakes
- Using provider-managed keys for regulated data: Provider-managed keys do not meet Compliance requirements that demand customer control over encryption keys.
- Disabling key rotation: Keys that never rotate increase the Blast Radius if a key is compromised. Enable automatic rotation wherever supported.
- Storing keys in the same account as data: If an attacker compromises the account, both data and keys are accessible. Use a separate account for key management.
- Forgetting to back up keys: If you lose a customer-managed key, encrypted data is permanently unrecoverable. Export and store key material securely.
- Not enabling key deletion protection: Accidental key deletion can cause widespread data loss. Enable soft-delete and purge protection in all providers.
Practice Questions
- What is the difference between AWS SSE-S3 and SSE-KMS?
- How does Azure Key Vault HSM protection differ from software-protected keys?
- What GCP Cloud KMS protection level uses hardware security modules?
- Why is automatic key rotation important for security?
- How can you recover data if a customer-managed key is accidentally deleted?
Challenge
Design an encryption at rest Strategy for a Multi-Cloud data pipeline. Data enters via AWS S3, is processed on Azure, and is archived in GCP Cloud Storage. Use customer-managed keys in each provider with automatic rotation. Write the CLI commands to create keys in all three clouds and configure cross-cloud key access.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro