[Merkur]

I did not know such thing is possible. very cool! thx for pointing it out! :)

but still..some rhetorical questions: Is KMS based on this concept? Is it's implementation open sourced? Is it verified to run unchanged in the instance I pay? Who is verifying it? Who is paying the one verifying it? Can I meet him / her to drink a coffee and build trust between us?

pls, do not misunderstand me. I got more trust in the amazon techs than in my own ability to admin a complex linux system on bare metal. But while all that is great progress toward security we still need to make a leap to find a solution. don't we?

[viraptor]

> I did not know such thing is possible.

It's theoretically possible, but right now it's too slow to be practical in usual situations. Just storing and single operations are maybe possible. But for example homomorphic AES takes multiple seconds per each block. And that's still AES-128.

[e12e]

Wait, are you saying HE is feasible for 128 bytes of data, if you can allow seconds for de/encryption? That'd be plenty usable for read-at-startup 128 bit api keys for micro-services, disk encryption keys etc?

(Granted, in this context, having a de-crypted disk at run time under a vm would be considered insecure - but still better (for some use cases) than man alternatives)

[viraptor]

AES has a block size of 128 bits, not bytes. Using the fastest reported method, that would be 2s/block, so 16s/128bytes.

So in practice, probably that's the case - you could use homomorphic encryption for very infrequent operations on KEKs for example.

[e12e]

Well, actually I was wrong twice, so it cancels out ;-) 128 bits is enough for many things. Eg. 128 bit keys. Too little for an ECC secret key, but not by much.