Amazon introduces AWS Encryption SDK to help developers secure cloud apps
Amazon Web Services (AWS) has released an encryption SDK to help developers build applications that correctly implement encryption and thus ensure that data is kept as secure as possible in the AWS cloud.
Available now, the AWS Encryption SDK is designed to help developers minimise potential errors that could lower the security of cloud-hosted applications. It provides functions to manage encryption keys, and simplifies the process of encrypting data under multiple master keys, Amazon said.
Encryption is a vital way to protect data in the cloud if hackers or malware somehow gain unauthorised access to applications or a data store. However, encryption can sometimes be more complex than it first appears, and flaws in its implementation can create a weak point for attackers to exploit.
“Developers using encryption often face two problems: how to correctly generate and use a key to encrypt data, and how to protect the key after it has been used,” said Amazon software security engineer Greg Rubin on the AWS Security Blog.
Rubin explained that the library provided in the new AWS Encryption SDK addresses these problems by transparently implementing the low-level details using the cryptographic provider available in the user’s development environment, and by providing interfaces to let the customer choose how they want to protect their keys.
“Developers can then focus on the core of the applications they are building, instead of the complexities of encryption,” he added.
The AWS Encryption SDK is supplied as a production‑ready Java reference implementation with direct support for the AWS Key Management Service and the Java Cryptography Architecture, which also includes support for Amazon’s AWS CloudHSM that uses secure hardware to store keys in the cloud.
Amazon said that the AWS Encryption SDK provides a carefully designed and reviewed data format that supports multiple secure algorithm combinations and has no limits on the types or algorithms of the master keys.
Another notable feature is support for envelope encryption, designed for applications where large datasets need to be encrypted. With this approach, the data is encrypted with an appropriate single-use data key such as AES-GCM which is itself encrypted with a master key that uses an algorithm or other solution appropriate for key management.
Amazon has provided ready-to-use code samples in the AWS Encryption SDK for customers using CloudHSM or KMS, but the open source SDK can be extended to support other key providers.
Source | V3