Rotate Keys without Re-Encrypting Data

Searching for the right key?

“Data is the new currency”, you must have heard of this term quite often from your CISO, security team or auditors. Even though it sounds exaggerated, its true. In today’s world with the rapid digitization of almost everything, it has become sacrosanct to secure data at all times.

Security is said to be the enemy of performance and efficiency but that’s not true. You can very well secure your enterprise with very minimal impact to the performance, efficiency or user experience.

Let us see that with the help of an example:

Business Requirement:- Your organization is planning to create a “Data Lake” which will house enormous amounts of data from various sources. This data will be mined by data scientists using various tools to create business intuitive reports.

Security Requirement:- Your security team asks you to ensure that the data stored in the “Data Lake” is encrypted at rest and the keys to encrypt the data should be stored securely and rotated periodically.

Challenge:- Rotating the keys would mean the data needs to be re-encrypted i.e. decrypted by the old key and encrypted by the new key. Such a task seems impossible with the mammoth amount of data stored in the “Data Lake”.

Solution:- To avoid re-encryption of a huge amount of data, you can implement the concept of “Data Key & Master Key”. In simple terms,

1. Encrypt the data using a Data Key. (Using only symmetric encryption henceforth, to keep it simple)
2. Encrypt the Data Key using a Master Key. Store the encrypted Data Key safely as per your organization’s policies.
3. Key Rotation- Generate new Master Key and re-encrypt only the Data Key . Store the encrypted Data Key back at its location.
4. Data Encryption- Use Master Key to decrypt & use the Data Key. Encrypt the data using the Data Key and remove the Data Key immediately after use.
5. Data Decryption- Use Master Key to decrypt & use the Data Key. Decrypt the data using the data key and remove the Data Key immediately after use.

Below is the pictorial depiction of the solution:-

Benefits:-

1. The Data Key is never stored locally or left unencrypted.
2. Data Key is accessible to only those who have the Master Key.
3. Rotation of the Master Key will not impact the data encrypted by the Data Key. Hence, no overhead of re-encryption of the data during key rotation.
4. Data encrypted by the Data Key will always remain secure as the Data Key is secure.
5. Reduced Exposure- The only mechanism to crack the key is to use brute force on the cipher text which is very difficult if not impossible.

If the secure storage to store the keys is a Cloud-based Vault, then the Data Key will never leave the vault. The Key-Id (unique ID of the Key) of the Data Key will be encrypted by the Master Key instead of the actual Data Key. Also, the Master Key will remain in the vault and only it’s Key-Id will be provided to the applications.

Example:-

Below is a sample code in Python using Oracle Cloud SDK which provides the methods for:-

1. Managing the encryption/decryption of the Data Key. (DataKeyManagement.py)
2. Performing the actual data encryption/decryption retrieving the Data Key. (DataEncryption.py)

Source: https://github.com/vaibhavsonavane/oci

References:-

Key Management - oci 2.31.2 documentation