Announcing DuoKey for AWS XKS for storing and using encryption keys outside of AWS Cloud using secure multiparty computation
The DuoKey for AWS XKS module is now available for customers who have a regulatory need to store and use their encryption keys outside of the AWS Cloud or on premises.
AWS KMS forwards API calls to securely communicate with DuoKey for AWS XKS, ensuring that key material never leaves the XKS. This solution enables the encryption of data with external keys for most AWS services that support AWS KMS customer-managed keys, such as Amazon EBS, AWS Lambda, Amazon S3, Amazon DynamoDB, and over 100 more services. There is no need to change existing configuration parameters or code for these services.
This new capability, which uses secure multiparty computation (MPC) rather than traditional hardware security modules (HSM), offers several significant advantages for customers moving data to AWS.
First, MPC provides stronger security guarantees than HSMs, as it allows for the encryption and decryption of data without any single party having access to the complete decryption key. This reduces the risk of a single point of failure or compromise, and makes it more difficult for attackers to access protected data.
Second, MPC allows for the use of multiple, independent key sources, which can provide additional resilience and flexibility compared to traditional HSMs. For example, customers can use DuoKey for AWS XKS with MPC to encrypt data with keys from multiple on-premises MPC node, or to use a combination of on-premises and cloud-based MPC nodes.
Third, MPC can potentially offer better performance and lower latency compared to HSMs, as it allows for the parallelization of encryption and decryption operations across multiple parties. This can be particularly beneficial for applications that require high-speed data transfer or processing.
Overall, the use of DuoKey for AWS XKS with MPC offers customers a more secure and flexible solution for moving data to AWS, with potential benefits for performance and latency compared to traditional HSMs.
(via Archives, Lausanne, Switzerland — Dec 06, 2022)