[timdierks]

This article confuses me. The author tears down a strawman argument about running centralized key services ("The expensive solution"), then recommends exactly such a solution in Amazon KMS.

The only plausible way this can make sense to me is if he said "Running your own key service is a pain, use Amazon KMS". But that's a simple service question, probably wouldn't have taken up as much space.

[ultramancool]

Not only that, but everything here except for the engineers question can also be solved by simply hosting these things yourself.

You don't need 3rd party code hosting on Github, just use Gitlab or JIRA. You don't need some external CI service, run your own Jenkins node. Chat and email should also be internal (we use XMPP, a local Mattermost instance would be an alternative) and SSL-only.

You can do all of this with basically 1 docker command per install on your own dedicated hardware with a fairly underpowered machine.

And this prevents leaking of all sorts of information, not just production database passwords. If you don't trust your engineers, you have bigger problems, as another poster pointed out, if they can modify your software to simply report the password back to them, or just login to production and decrypt it, you're dead in the water.

[yeukhon]

I argue security starts with being paranoid. Not that I don't trust anyone I work with, including myself, but I can leak emails or my computer can get hacked. Shit happens. So I would start with the worst case and ask myself how to defend against any leaks.

External service SLA can be joke. It's always aftermath thought. Damage control is always on the customer side because customer has to rotate / invalidate leaked credentials, so first step for me is to have a process to invalidate credentials as often as possible.

[TomFrost]

KMS is not a centralized secret database -- it's a hosted Hardware Security Module. There is no way to store your service's secrets in it for later retrieval, unlike the solutions listed in the article. I suppose an argument could be made that it still provides a single point of failure, however the risk level of KMS and the SLA it provides is far lower than what one might encounter by maintaining their own server cluster.

[timdierks]

AWS KMS does not use HSMs. Amazon says it runs on HSAs ("hardened security appliance"), but they don't provide a lot of info on what that means. I would presume that the only thing keeping a limited number of Amazon employees from accessing your keys is policy.

I agree that using AWS KMS is the same architecture as using some other KMS that you run yourself, you just garner the benefit of their software and operational capacity and you buy service; this is the same as any other PaaS service at Amazon or some other vendor.

What's the value of Cryptex, though? Why not just store KMS-wrapped secrets in your config file and have Amazon unwrap them? Then you wouldn't be dependent on any local crypto implementation and you could use other KMS features, such as AEAD.

[rpedela]

It literally says AWS KMS uses HSMs in the introductory paragraph.

https://aws.amazon.com/kms/

[timdierks]

I'm relying on https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Detai.... There are HSMs, I guess, but they'r only used to back up the keys when they're stored offline for durable backups. I hadn't seen the claim on the main page, but I'd consider it to be misleading, presuming that the cryptographic details whitepaper didn't totally misstate the design.