The Docker Transition Checklist

19 steps to better prepare you & your engineering team for migration to containers

76. An Encryption Deep Dive – Part Four

Chris Hickman and Jon Christensen of Kelsus and Rich Staats of Secret Stache conclude their encryption series by discussing symmetric cryptography and Amazon Web Services (AWS). 

 

Some of the highlights of the show include:

 

  • Quality Control of Voice Assistance: Apple claims only your phone, not Apple or Siri, knows unique IDs to delete recordings
  • Encryption Liability: Apple didn’t encrypt, only anonymized, your recordings with Siri 
  • Can you keep a secret? Symmetric encryption is a single key that encrypts/decrypts data
  • Key Management Service (KMS): AWS’ core service involves symmetric encryption to generate and manage cryptographic keys
  • Hardware Security Module (HSM): Stores secrets/master key and provides encryption/decryption services
  • Pros and Cons of Protocols: Control of authentication and authorization, lower latency, managed device, durable and scalable firmware updates, and unfamiliar to auditors 
  • Customer Master Key (CMK): KMS hierarchy to manage cryptographic key
  • Create Key Passwords: Allow KMS or AWS to generate password, or provide it yourself 
  • Recommendation: If doing KMS at scale, envelope encryption is a must; primary encryption-decryption involves creating new data key
  • How to deal with breaches, compromised keys? Enforce waiting period prior to deleting or rotating master key

 

Links and Resources

 

There’s a privacy explanation for why Apple doesn’t let you delete Siri recordings

AWS Key Management Service (KMS)

AWS CloudHSM

AWS CloudFront

AWS FIPS 142

AWS Customer Master Key (CMK)

AWS Secrets Manager

AWS Lambda

AWS S3

AWS DynamoDB

AWS Elastic Block Store (EBS)

AWS CloudTrail

AWS SDK for JavaScript in Node.js

PKCS 11

CNG

Advanced Encryption Standard (AES) 256

NGINX

Python

JSON 

Slack

Mobycast’s toll-free voicemail: 844-818-0993

Mobycast’s Email: ask@mobycast.fm

Mobycast on Twitter 

Kelsus

Secret Stache Media

 

 

 

Rich: In Episode 76 of Mobycast, Jon and Chris finish our series on encryption by digging into AWS’ encryption services. Welcome to Mobycast, a weekly conversation about cloud-native development, AWS, and building distributed systems. Let’s jump right in.

Jon: Welcome, Chris and Rich. It’s another episode of Mobycast.

Rich: Hey.

Chris: Hey, guys. It’s good to be back.

Jon: Yeah, good to have you back. Rich, what have you been up to?

Rich: Looks like we’re going to have our first full time senior developer hire. It’s going to be a promotion from within, but this will be the first actual full time salaried employee. I spent the weekend trying to figure out what the job role would look like, what the expectations would be.

Jon: Mobycast listener I assume?

Rich: No, it’s the developer who’s been with me the longest. It’s just ready for him to take that full-time commitment. It’s more or less me giving the commitment to him, as he’s already proven that he’s ready and willing. It was just really hard for me to come up with what that salary should be, commensurate with where he lives, and also what he’s done.

I spent probably 15 hours this weekend thinking through it, but it was one of the best exercises I’ve done because it also forced me to define all of the different rules that were there but never defined in our company. The outcome is that we’ll have a growth plan for anyone who works for us moving forward, which is pretty sick.

Jon: I’ve been really pleased with the WordPress work especially the back-end parts and pieces that your team at Secret Stache has done. I know that Alex, your new person, is a big part of that. So congratulations, that’s great.

Rich: It’s scary because it’s a huge commitment. But I feel like this is the risks you’re supposed to take in entrepreneurship. This is the right move regardless of whether or not […].

Jon: How about you Chris? What have you been up to?

Chris: Recently I transitioned away from some of the day-to-day client work here at Kelsus. I’ve been working on account for, basically since day one for about 2½ years. That took up a lot of my time, in fact most of my time.

Show Buttons
Hide Buttons
>