How to Manage Encryption Keys in a Multicloud Environment

Christian Melendez
How to Manage Encryption Keys in a Multicloud Environment

Security is an essential part of managing a business. This is even more true when IT systems need to run in a multicloud environment where data protection is crucial. Security in the cloud is a shared responsibility between cloud service providers (CSP) and their customers, and every CSP has its own way of managing encryption keys. That can make it tough to manage various encryption keys across different CSPs where your applications and data reside.

Security Control for All Clouds

Equinix SmartKey, a global SaaS-based, secure key management and cryptography service, offered on cloud-neutral Platform Equinix™, simplifies data protection across any cloud architecture.

Read More

If you’re looking for ideas on where to start, what’s required, and a few recommendations on how to encrypt data across multiple clouds, this is a post you’ll want to read. We’ll start with an approach that enables you to use CSP encryption services without giving full control of the keys to the CSPs.

Bring your own key (BYOK) to the cloud

Almost all CSPs provide a way for you to bring your own key (BYOK). In this approach, you import your encryption keys to the CSP of choice while continuing to use their key management services (KMS). By doing this, you decouple key management from data encryption in the cloud and keep your systems as cloud-native. For instance, in Amazon Web Services (AWS) KMS, once you import your key material, you can use AWS KMS to encrypt data on Amazon Simple Storage Service (S3), Elastic Compute Cloud (EC2), Relational Database Server (RDS), as well as any other services that support AWS encryption. Other CSPs such as Microsoft Azure and Google Cloud provide similar offerings.

Bringing your own key (BYOK) enables you to use a cloud’s encryption service without giving full control of the keys to the cloud service provider.

Once you import your keys to your CSP’s KMS, you’ll need a place to store and manage your key materials. . You can either generate the security keys on SmartKey or BYOK, but the key materials stay in one place for a single administrative environment regardless of where the encryption keys are used. If needed, you could also use SmartKey as an additional decryption layer for the data you store in the cloud. This approach helps to minimize exposure of your encryption keys to potential attackers.

Securing the workflow to BYOK to the cloud

Interaction with CSPs is generally done through APIs, and, unless you have a private, secure, and direct connectivity with them, that usually takes place via the internet. Since sending key materials over the internet in plain text can be a serious vulnerability, most CSPs provide a way to wrap your key materials and securely upload them. A typical secure workflow to BYOK to the cloud would look like the following example:

  1. Generate your key material, ideally, an asymmetric key.
  2. Create the key bucket in the CSP – sometimes referred to as “a key without a key material.”
  3. Download the public wrapper key from the CSP to encrypt the key material before you upload it.
  4. Encrypt (or wrap) the key material with the wrapper key from the CSP.
  5. Upload the new key material to the CSP.

While this is the procedure you would follow when importing keys to AWS,[i] every CSP has its own nuances for importing keys.  For instance, Microsoft Azure prescribes a similar workflow, but it doesn’t yet support all HSM providers.[ii] And, for Google Cloud, we’re working with them to make this process smoother by integrating SmartKey with Google Cloud.

For optimal security, be sure to leverage a secure workflow like the one above when you import your key materials to the cloud.

Recommendations for BYOK to the cloud

As the time of writing this article, there are a few recommendations when it comes to managing keys in a multicloud environment. These include:

  • Avoid using one key for everything – try to segment keys by application, environment or even line of business.
  • If you’re using SmartKey, generate the key materials in SmartKey.
  • If it’s supported by the CSP, use asymmetric keys.
    • AWS supports both asymmetric and symmetric keys.
    • Azure support for asymmetric keys is in preview.
    • Google Cloud supports asymmetric and symmetric keys, but you can only use the imported keys in Cloud Storage if they’re symmetric.

Finally, try to automate the interaction between CSPs and your key management tool such as SmartKey. Automation can help you react more quickly to security breaches by enabling you to regenerate encryption keys on-demand.

Recommendations for managing encryption keys in a multicloud environment:

1. Avoid using one key for everything.
2. Generate the key materials in SmartKey.
3. Use asymmetric keys.
4. Automate the key generation process.

Security is a continuous process

No one can ever really say that their systems are secure enough, that they’ve covered every edge case or that attackers won’t disrupt their systems. Cybercrime is relentlessly becoming more sophisticated which means that security is a continuous process. And, in a multicloud environment, protecting your keys needs to be a top priority because cyberthieves won’t just try to guess what your encryption keys are, they’ll try find them because it’s easier.

To learn more about keeping your encryption keys safe, I invite you to create a SmartKey account and start a free trial. We have written and video guides on how to integrate SmartKey with CSPs like AWS, Azure, and Google Cloud.

You may also be interested in reading our other blogs on SmartKey and encryption key management.


[i] AWS KMS Developer Guide, Importing key material in AWS Key Management Service (AWS KMS).

[ii] Microsoft Tutorials, Import HSM-protected keys to Key Vault, May 2020.

Cybercrime is relentlessly becoming more sophisticated which means that security is a continuous process.