Concepts
Asymmetric encryptionLink to this anchor
Asymmetric encryption is a fundamental type of cryptographic method used to secure data with a pair of keys: a public key and a private key.
The public key is used for encryption and can be shared openly, while the private key is used for decryption and must be kept secret. This design eliminates the need to share a single key securely, which is a challenge in symmetric encryption.
Asymmetric encryption is particularly well-suited for secure communication and authentication, such as encrypting emails or verifying digital signatures. However, it is slower than symmetric encryption. Algorithms like RSA and ECC are common examples of asymmetric encryption.
CiphertextLink to this anchor
Ciphertext refers to data that has been encrypted using a cryptographic algorithm and a key.
Unlike plaintext, ciphertext is not human-readable and cannot be understood or used without first decrypting it with the appropriate decryption key.
Ciphertext can be encrypted on the client side as long as the encryption key used for encryption is safely stored (in a Key Manager, for example).
Cryptographic operationLink to this anchor
A cryptographic operation is any action performed using cryptography to secure data, ensure privacy, or authenticate information.
Key Manager supports the three following cryptographic operations:
- Encryption
- Decryption
- Data encryption key generation
These operations are designed to protect data from unauthorized access, ensure its integrity, and verify the identities of users or systems.
Data encryption key (DEK)Link to this anchor
A data encryption key is a type of key that can be used outside Key Manager to encrypt and decrypt payloads.
Key Manager generates DEKs on-demand. They are then encrypted by a key encryption key specified by the user, and forwarded to the recipient.
DEKs are not stored in or managed by Key Manager. Users are responsible for safely storing and managing DEKs. DEKs should have the same lifecycle as the payload they encrypt.
DecryptionLink to this anchor
A cryptographic operation used to convert ciphertext back into its original plaintext form, using a key encryption key.
The only way to decrypt an encrypted payload is by using the Decrypt endpoint. Since key versions never leave Key Manager, there is no other way to decrypt data outside Key Manager. A payload encrypted with an older key version can still be decrypted. In this case, for convenience, the payload encrypted with the latest key version will be returned, along with the decrypted payload.
EncryptionLink to this anchor
A cryptographic operation used to encrypt data using the latest version of the Key Manager key. The encryption algorithm used is the one defined when setting the key usage.
Only keys with a usage set to symmetric_encryption are supported by this method. The input data is arbitrary, but this endpoint should only be used to encrypt data encryption keys, not actual payloads.
Find out how to encrypt and decrypt payloads using The Scaleway Tink provider
Encryption algorithmLink to this anchor
An encryption algorithm is the specific procedure used to perform encryption and decryption.
It defines the exact steps to transform plaintext into ciphertext and vice versa using a key.
As of now, Key Manager supports the following encryption algorithm:
- AES (Advanced Encryption Standard): A widely used symmetric encryption algorithm.
Encryption methodLink to this anchor
An encryption method is a broader approach used to convert readable data (plaintext) into an unreadable format (ciphertext) which may involve one or more encryption algorithms.
There are three types of encryption methods:
- Symmetric encryption
- Asymmetric encrytpion
- Hybrid encryption: An encryption method that combines both symmetric and asymmetric methods
Key Manager only supports symmetric encryption.
Encryption schemeLink to this anchor
An encryption scheme is a structured approach to encryption that specifies the encryption algorithm, key size, and mode of operation for block ciphers.
For example, in the AES-256-GCM encryption scheme:
AESrefers to the Advanced Encryption Standard (AES) encryption algorithm256refers to the key length in bitsGCMor Galois/Counter Mode, is the mode of operation for block ciphers. GCM encrypts your plaintext data using AES, and authenticates it using a unique “tag”. This means that if anyone tampers with your data, you will know because the tag will not match anymore.
Key encryption key (KEK)Link to this anchor
A key encryption key (KEK) is a type of key that has a single purpose: encrypting and decrypting data encryption keys.
The KEK is permanently stored in Scaleway’s Key Manager and never leaves it. It cannot be accessed by anyone, and should be rotated regularly.
Key managementLink to this anchor
Key management is the process of handling keys used in cryptographic systems to ensure the security and integrity of your cryptographic operations. This includes the generation, exchange, storage, usage, and disposal of these keys. Although strong cipher algorithms allow you to protect your information with secret keys, your data is only protected as long as your encryption keys are kept secret from non-authorized individuals.
Key protectionLink to this anchor
Key protection allows your key to be used and modified, but not deleted. This provides an additional layer of security.
Key rotationLink to this anchor
Key rotation is the process of replacing an old cryptographic key with a new one. It is a critical practice in key management to minimize the risk of exposure if a key is compromised and to enhance the overall security and resilience of your systems.
When using symmetric encryption, it is generally recommended to rotate keys every 30 to 90 days.
After rotating your Key Manager keys, all cryptographic operations will use the new rotated keys. All data encrypted with former key versions will remain decipherable with the former key.
Key usageLink to this anchor
The key usage specifies the algorithm used to create subsequent key versions, and the scope of cryptographic operations supported by your key encryption key. You must define a key usage upon key creation. As of now, Key Manager only supports symmetric encryption.
Key versionLink to this anchor
A key version is a a specific iteration of your key encryption key. Each version of your key represents a distinct state or version that may be rotated or replaced over time.
Key versions allow you to manage and track changes to your data encryption keys. When using key versions, all cryptographic operations will rely on the current key version.
Data you have encrypted with previous key versions will still be accessible and decipherable using those specific keys, ensuring backward compatibility.
PayloadLink to this anchor
A payload refers to the core data or message being transmitted, processed, or protected. It is the information of interest that encryption or other security mechanisms aim to secure.
PlaintextLink to this anchor
Plaintext refers to unencrypted, readable data. In the context of key management, plaintext often refers to cryptographic keys or sensitive data that are stored or transmitted in an unencrypted form. This term is often used in contrast to ciphertext, which is data that has been encrypted and is not readable without decryption.
RegionLink to this anchor
A Region refers to the geographical location in which your key will be created. Each region contains multiple Availability Zones. Your key will be duplicated on all Availability Zones of the selected region. Scaleway is available in the Paris, Amsterdam, and Warsaw regions.
Root encryption key (REK)Link to this anchor
A root encryption key (REK) is another type of key that has the single purpose of encrypting and decrypting KEKs in order to store them in hard storage. Scaleway’s Key Manager has one REK per region, which is securely stored in our facilities.
Symmetric encryptionLink to this anchor
Symmetric encryption is a fundamental type of cryptographic method where the same key is used to both encrypt and decrypt data. This means that the sender and receiver must have access to the same secret key, which they use to secure their communication.
Because symmetric encryption relies on a single key, it is generally fast and ideal for encrypting large volumes of data. However, its security depends entirely on keeping the key confidential.
Symmetric encryption algorithms like AES are widely used in scenarios where speed and efficiency are critical. As of now, Key Manager only supports the AES_256_GCM symmetric encryption algorithm.