What is the best practice for storing a secret on the cloud?

  • What is the best practice for storing a secret on the cloud? Richard

    This post on Securing Java Application Data for Cloud Computing offers a good introduction to using a Java KeyStore for securing encrypted data in the cloud. It neglects, however, to answer the fundamental question, as noted in one of the comments: how would you protect the keystore password on the cloud?

    We are designing a SAAS web application in the AWS public cloud, which will have many end users (scaling to millions). All user data will be encrypted on a per-user basis with standard encryption. The password-protected encryption keys will be stored on a remote secure keyserver, which requires an API secret key to access. This has essentially the same problem noted in the question above, with the keyserver API secret key being directly comparable to the keystore password: how would you protect the keyserver API secret key on the cloud?

    Note that our web application needs access to this secret key so that it can obtain per-user keys for encrypting and decrypting the user data. We are using AES-256 symmetric encryption, but the fundamental problem remains even for a PKI solution, as you still need to secure the private key. Note also that we could use a keystore instead of a remote keyserver, but this just reduces to the previous question and again the fundamental problem remains.

    Some further constraints:

    • Storing the secret on the remote secure keyserver is impossible, obviously, since it is used to access that keyserver.
    • Storing the secret on the cloud filesystem is insecure, since the main point is to keep the secret from being accessible to anyone who breaches the cloud filesystem. (If the cloud filesystem were perfectly secure, we would not need to encrypt the data there.) Also, given that cloud resources are expected go down and need restarting, relying on the cloud to hold the secret is unreliable.
    • Storing the secret in the code is unacceptable, for many reasons including: version control, plain-text storage, reverse engineering, key rotation, etc. See also Should a closed source website keep a secret key in its source?.
    • Storing the secret in an HSM is impractical, since we cannot attach one to a virtual cloud server. See also Storage of 'secrets', keystores, HSMs and the rest.
    • Storing the secret outside the cloud for remote loading by the application is also problematic: we are looking for a purely cloud-based approach to avoid having any internal servers to maintain; network reliability is not guaranteed; authenticating the cloud server's request for secret on the internal server has its own issues; etc.
    • Any manual interaction should be minimized, since we want servers to start and restart as automatically as possible to reduce any downtime or human errors. My guess is that manual interaction may be necessary.

    So, what is the best practice for storing a secret on the cloud? How should a web app load such a secret? I would be particularly interested in a Java solution, but this is a general problem in any language.

  • "In the Cloud" means "on a virtual machine which runs on the infrastructure of some big company with which we have a contractual relation". By definition, when you store things "in the cloud", you are trusting the cloud provider. That provider has all the technical power to look at the fine details of the entrails of your code and data and everything you store on these machines.

    It's like trying to maintain the integrity of your body, when you are already on the operation table, under general anesthesia, and the surgeon has his scalpel in hand. It's a bit late to mistrust the surgeon...

    If the secret is valuable, then don't store it in the cloud. Said otherwise: if you cannot afford the extra cost of a dedicated hardware server, then the secret data cannot be worth that much -- or possibly you are way too much avaricious for your own good.

Related questions and answers
  • to accommodate application-specific passwords (create an encrypted private key per password), in case I ever want to develop apps besides the web interface. My question is: How fundamentally (in)secure is this design? If the (web) server can decrypt files when users are logged in, this obviously begs a question of "how trustworthy and responsible with users' data and encryption secrets am I... (and thus decrypting the file) is encrypted using a secret based on the user's password. This means that files can only be read by the server if the decrypted private key is kept in its decrypted form

  • Possible Duplicate: When a sysadmin leaves what extra precautions need to be taken? A company has been maintaining its ALL internal and external (like google emails, apps, etc.) IT systems (computers, servers, networks, web sites, security keys to bank accounts and auctions, passwords, etc.) with the help of external (coming) system administrator, the only one exclusively. Mostly he... immediately but in 3 weeks. Anyway, he was informed immediatelyabout being fired, so it just aggravated situation since he is overiding my actions remotely and do not inform what he is doing or cooperate

  • locally, rather than use the much more appropriate industry standard practice of storing a one-way hash of the password -- so we very definately don't want to do that. Forcing user interaction... enough", call it a day, and go have a beer? -- Tim p.s. I should also note I'm open to other out-of-the-box solutions to the problem at hand as well, but have already ruled out storing the user's... at rest and on the wire. The only grief I have is that the API (again, apparently designed for human-generated passwords), has some restrictions on the password format that decrease entropy when using

  • I would like to give a daemon-style process (i.e. no user interaction) access to a shared secret key so that it can access a shared, encrypted data file. User applications accessing the same encrypted data store the shared secret key in the user's OS keychain (e.g. OS X Keychain or Gnome Keyring, etc.). The OS keychain, in turn protects the secret key with the user's login (or other user-specific... encryption of the data on disk is at most a nuisance to a determined attacker. We also allow users to run the query server locally (still started by init.d/launchd), so I want to do whatever I can

  • This is a multiple part question, which all really come back to the main question: How best to protect data in a Hadoop (wikipedia) cluster. (Current version, vanilla main-branch distro... (and the key (or keys, say one per customer) would still need to be distributed to each Task Node for MapReduce jobs). ... / folder permissions, per application user (i.e. customer). Problems I've found with this approach: Permissions are only applied at the NameNode; direct access to DataNodes would still provide access

  • password as the private key. Any further API calls that the user makes will be having a hashed blob of the request URL using the user's private key. On the server side I reconstruct the hash using the saved private key. If the hash is a match I let the user do his task, else reject. In this option I need to use https only for the registration API. The REST can go on on http. But here..., again I use https, and ask the user's credentials; verify the hashed password on the DB and return him a session ID, which I'm planning to never expire unless he Logs Out. Further any other API calls

  • at any time, so I want to protect against someone who steals the device and tries to decrypt the data I am not worried about software exploits, keyloggers and so on (assume I never borrow the device... some time reading Wikipedia on AES, block cipher modes and key derivation algorithms, and I also read "If You're Typing The Letters A-E-S Into Your Code, You're Doing It Wrong". All this has made me... PBKDF2 with SHA-512 so I can derive a key of double length. There is no reliable random number source on the embedded device, so my plan is to have the user generate the random key (k1) on a PC

  • for the most part. Encrypted Email: I hesitate with this one as it includes user education, but it may be the best way. Also, it means handing out keys somehow. There is also the email client support...I have a problem I need to solve - specifically, how to hand out passwords to people in a variety of locations, and with a wide variety of access. I've thought of some options... is no doubt done with unencrypted access. In any case, not all have email access (e.g., contractors). "Briefcase": I could add the password to the user's Zimbra briefcase, but this suffers from most of the same

  • How should I protect domain joined hosts in the same AD domain from the Related Domain Cookie Attack? Suppose there is an AD forest called example.com. This company has a variety of internal and external web applications: store.example.com (customer facing) partnerPortal.example.com (internal/partner facing) payroll.example.com (internally facing) The forest also has workstations on the same domain workstation001.example.com ... etc. Since this answer describes how easy it is to alter cookies, I think this is an opportunity for a confused deputy issue, where the authority granted

Data information