Re-Keying for Decryption
Decryption in AWS
How does decryption and key rotation work in AWS? It all goes back to AWS KMS. KMS makes it easy for you to create and manage cryptographic keys and control their use. When you need to replace an old encryption key with a new one, there are two options for how to accomplish this.
- Decrypt the data with the old key, then re-encrypt it with the new key. This would be a good option to utilize when you are replacing a key because of a negative event against the original key.
- Leave the data in place and encrypted with the original key, but utilize originator usage periods and recipient usage periods.
Read more about re-keying in NIST SP 800-57 Part 1: Recommendation for Key Management and the AWS best practices for rotating customer master keys.
When we need to go through the process of creating a new encryption key, there are considerations that need to be made about what we do with the data that was encrypted to the old key. There are two principal options that we can do with that data.
The first is that we can take the old data, decrypt it with the old key, and re-encrypt it with the new key. That is a particularly viable, almost a necessary action, anytime that we’re replacing a key because of a potential negative event against the original key. “We suspect the key might have been compromised. Someone with knowledge of the key has left the organization – one of our key custodians,” or something like that. Those are opportunities where we need to consider re-keying of the data. That is a potentially expensive option, in terms of technical capital, human capital. Depending on the data set, this may take hours, days, or a week. There are technical and operational considerations that need to be considered when doing that. Again, when we’re considering a re-keying of data because of a negative event against the original key, that’s really something we need to do.
The second option for what we need to do with the original data is that we leave it in place, encrypted with the original key. The NIST material speaks about this in terms of an “originator usage period” and a “recipient usage period.” When we’re talking about encryption of data at rest, the originator usage period is the time period for which we will use a key for encryption operations. Recipient usage period is the amount of time for which we will use it exclusively for decryption operations. This is what we’re talking about now. When we’re going to keep multiple keys around for the decryption of data, where the security life of that data necessitates that we need to be able to continue to decrypt it, then it’s also necessary that our applications can support the proper selection of the key. We need to solve the key escrow problem. How do we keep multiple keys around and protect them for that time period?