Hacker News new | ask | show | jobs
by Cshelton 3551 days ago
So this is great however I have a very large concern.

In a U.S. AWS data center, I am very confident (right now) that my encryption keys and encrypted data will never be given out to any governmental agency. Even with a warrant, they can not access my data unencrypted.

What will Amazon do when the French government says hand us all of your keys or else...

As our data is all extremely sensitive financial information, we really can not even take that chance until we know.

Clarification: We send all data over HTTPS with AES 256 encryption. If authorities have a warrant for data, can we hand them the encrypted data and say the keys are in the U.S. and we can't give them to you?
2 comments
idlewords 3551 days ago
Why are you:

1) Keeping keys to extremely sensitive financial data on a cloud server

2) Confident that the US government won't request this information through warrant or national security letter

3) Asking for advice about this on a message board?

link
Cshelton 3551 days ago
1) They are in a key management service (not AWS). Highly unlikely somebody will get both access to the keys and the data together. They are also rotated periodically.

2) Well lately, I'm not. The Apple/FBI case was somewhat assuring. And I believe that to date, AWS has not handed over any data or keys without permission.

3) More theoretical advice about the new French region. What are the laws about privacy and how will that work. We just saw what Germany ruled on with WhatsApp. And really just asking the question because it needs to be asked. I don't actually expect an ultimate answer, just discussion about it.

link
Twirrim 3551 days ago
> 2) Well lately, I'm not. The Apple/FBI case was somewhat assuring. And I believe that to date, AWS has not handed over any data or keys without permission.

How would you know? The NSL would prevent Amazon from being able to say anything about it.

If you're that concerned about your security, you shouldn't be using a cloud provider.

link
chillacy 3551 days ago
The Apple FBI case only happened because Apple was physically unable to hand over the data, since they had no access to it. If you have the keys, you have access to the data presumably, and you'll be giving it up once you're compelled to by the government (see Lavabit).
link
shmel 3551 days ago
Would you feel better if NSA gets your data using a warrant signed by a secret court and gags Amazon using a NSL? Why do you think that US agencies can ask Lavabit to hand encryption keys, but the same can't happen with Amazon?

Comparing with the US I don't remember that France has any gag laws.

link