> Fair enough, but then why did you split the trust in the first place using BYOK? Let’s think about the threat model here. Anyone leveraging privilege in the cloud or exploiting vulnerabilities in the isolation of cloud tenants, will inevitably gain access to the cryptographic services and eventually to your keys. So, do you trust the entire public cloud and its tenant? And why go through all that trouble of BYOK and separation of concerns?
Because as owner of the CMK, I can rotate it as often as I want and limit the exposure if one instance of the CMK has been exposed by the CSP.
And I can decide my own policy on having CMK shared across CSP and not be tied to just one CSP.
Confidential Computing is not a replacement for the discussion on who manages the key-encryption-key.
You are correct, KMS implement important aspects of key management. The conclusion of the article is not replacing KMS with Confidential Computing. Instead, the idea is to combine them to achieve the ultimate goal of protecting sensitive data. CC does not solve the who manages the KEK problem, it solves the using the DEK securely, accessing the KEK securely, and eventually, effectively protecting the processed data question.
If you don't trust your CSP (the threat model discussed in the article) then I'm not sure that confidential computing will save you as you're relying on the CSP to implement and provide that service faithfully.
The CSP installs chooses and installs and manages the hardware, you can likely only interface with that hardware through CSP provided software, if the CSP is malicious it would seem likely that they could backdoor this stack to allow them access to encryption keys...
If you don't trust the CSPs surely the right answer is on-prem hardware.
I hear that argument a lot. The key aspect here is remote attestation.
Often enough CC is only seen from a memory encryption angle.
It's maybe not straight forward, however remote attestation and of course the verifiability of such attestation claims are what makes CC unique.
The remote attestation capabilities of CC hardware allow to establish a secure channel from the hardware to the user, taking the CSP fully out of the equation. That applies even though the CSP implements the IaaS in between.
AMD's SEV supports providing an attestation to the launch state of the VM, including information about whether the hypervisor has any visibility into the contents of the VM. If this works as described it does genuinely let you decouple trust from the CSP, instead placing it purely in the CPU vendor.
But I agree with the general thrust of the post - simply providing your own keys isn't sufficient to remove the CSP from the set of people you need to trust. There are reasons to do this (eg, you want the ability to extract your encrypted data and make use of it, or you want to have a chain of trust back to keys that you control), but the moment you upload a private key anywhere it's obviously no longer private in the same sense it was before you did that.
Author promotes deep hardware solutions, like Trusted Computing. I thought we've already passed that? TPM, Intel ME, AMD PSP...? If you are in a position to distrust your provider DON'T USE CLOUD. Build your infrastructure, use colocation, bring your own server. If you fear you may get poisoned, don't eat in public restaurants. And BYOK is just a minimal norm of basic security.
Isn't the normal practice here to provide a key use transparency log?
HSMs can produce a log every time the key is used, and as long as you trust the hardware to be doing the right thing (if you don't you've got bigger problems) the log should be verifiable so you know if there's a missing entry.
Cloud provider has the key, but gives you verifiable logs of it being used so you can catch them if they're doing the wrong thing.
They say that part of the solution is that their system provides runtime encryption, so third parties, whatever and whoever they might be, can't see the data. But where's physically the key used to encrypt? If it still has to be on the cloud, which I think would be the case, then the problem isn't solved.
There's also a lot of exciting developments coming out of academia, see structured encryption and its applications for encrypted search for example https://esl.cs.brown.edu/pubs/
Same argument can be used for encrypted EBS devices. I see some of these solutions as a way to be able to add a checkmark in some compliance report somewhere - they don't necessarily add a lot of actual security.
BYOK was a lie because it was only protecting keys at rest. When the environment in use becomes accessible to so many actors, customers lose control of their keys and identities once they are accessible to that hostile environment. “Bring your own key — share it with everyone.”
Confidential Computing fundamentally changes this by providing protection for keys in use and enabling trusted and verifiable runtime environments.
Solutions such as Constellation solve the shortcomings of BYOK using Confidential Computing so you can finally “Bring your own key — keep it yours”.
Rygian|3 years ago
> Fair enough, but then why did you split the trust in the first place using BYOK? Let’s think about the threat model here. Anyone leveraging privilege in the cloud or exploiting vulnerabilities in the isolation of cloud tenants, will inevitably gain access to the cryptographic services and eventually to your keys. So, do you trust the entire public cloud and its tenant? And why go through all that trouble of BYOK and separation of concerns?
Because as owner of the CMK, I can rotate it as often as I want and limit the exposure if one instance of the CMK has been exposed by the CSP.
And I can decide my own policy on having CMK shared across CSP and not be tied to just one CSP.
Confidential Computing is not a replacement for the discussion on who manages the key-encryption-key.
actionfromafar|3 years ago
m1ghtym0|3 years ago
amelius|3 years ago
assusdan|3 years ago
raesene9|3 years ago
The CSP installs chooses and installs and manages the hardware, you can likely only interface with that hardware through CSP provided software, if the CSP is malicious it would seem likely that they could backdoor this stack to allow them access to encryption keys...
If you don't trust the CSPs surely the right answer is on-prem hardware.
m1ghtym0|3 years ago
The remote attestation capabilities of CC hardware allow to establish a secure channel from the hardware to the user, taking the CSP fully out of the equation. That applies even though the CSP implements the IaaS in between.
There is documentation that explains this in more detail if that's of interest to anyone following these discussions: * https://confidentialcomputing.io/wp-content/uploads/sites/85... * https://content.edgeless.systems/hubfs/Confidential%20Comput...
mjg59|3 years ago
But I agree with the general thrust of the post - simply providing your own keys isn't sufficient to remove the CSP from the set of people you need to trust. There are reasons to do this (eg, you want the ability to extract your encrypted data and make use of it, or you want to have a chain of trust back to keys that you control), but the moment you upload a private key anywhere it's obviously no longer private in the same sense it was before you did that.
eschneider|3 years ago
IYasha|3 years ago
danpalmer|3 years ago
HSMs can produce a log every time the key is used, and as long as you trust the hardware to be doing the right thing (if you don't you've got bigger problems) the log should be verifiable so you know if there's a missing entry.
Cloud provider has the key, but gives you verifiable logs of it being used so you can catch them if they're doing the wrong thing.
GTP|3 years ago
redwood|3 years ago
JensRantil|3 years ago
m1ghtym0|3 years ago
Confidential Computing fundamentally changes this by providing protection for keys in use and enabling trusted and verifiable runtime environments.
Solutions such as Constellation solve the shortcomings of BYOK using Confidential Computing so you can finally “Bring your own key — keep it yours”.