Deploying an Information Rights Management or PKI solution for your enterprise? Now you need to make the decision on where to store your keys. Amazon’s AWS Key Management Service (AWS KMS) is a managed service that allows you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys.
AWS KMS is a fully managed service. AWS KMS handles availability, physical security, and hardware maintenance of the underlying infrastructure. AWS Key Management Service provides you with centralized control of your encryption keys. KMS presents a single view into all of the key usage in your organization. You can easily create, import, and rotate keys as well as define usage policies and audit usage from the AWS Management Console. AWS KMS provides you a secure location to store and use encryption keys, using hardened systems where your unencrypted keys are only used in memory. AWS KMS keys are never transmitted outside of the AWS regions in which they were created.
Each customer master key (CMK) that you create in AWS KMS, regardless of whether you use it with KMS-generated key material or key material imported by you, costs $1/month until you delete it. For a CMK with key material generated by KMS, if you opt-in to have the CMK automatically rotated each year, each newly rotated version will raise the cost of the CMK by $1/month. In addition, AWS KMS charges an access fee. Each API request of AWS KMS (outside of the free tier) costs approx $0.03 per 10,000 requests.
An alternative to AWS KMS would be the Azure Key Vault. Like AWS KMS, use of Azure Key Vault means you don’t need to provision, configure, patch, and maintain HSMs and key management software. You can provision new vaults and keys (or import keys from your own HSMs) in minutes and centrally manage keys, secrets, and policies.
You can use Azure Key Vault to encrypt keys and small secrets like passwords that use keys stored in hardware security modules (HSMs). For more assurance, Azure Key Vault allows you to import or generate keys in HSMs, and Microsoft processes your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware). With Key Vault, Microsoft doesn’t see or extract your keys. You can monitor and audit your key use with Azure logging.
For HSM protected RSA 2048 keys Microsoft charges $1 per key per month plus an access cost of $0.03 per 10,000 requests. For RSA 3072-bit and 4096-bit keys the cost is higher per access.
Another alternative to AWS KMS would be to use your own on-premise HSM. This would provide your organization with more control over its keys. This approach is usually preferred in large organizations that handle sensitive data. HSM providers include Gemalto, SafeNet (owned by Gemalto) and Thales.