Understanding security measures when using Key Manager

Key storageLink to this anchor

We strongly advise that you never store data encryption keys (DEKs) in plaintext.

Storing DEKs in plaintext poses a significant security risk and defeats the purpose of using Key Manager or any key management service in the first place.

You should always use your key encryption key (KEK) created via Key Manager to encrypt and decrypt your DEKs.

Key deletionLink to this anchor

Always delete the plaintext version of your DEKs after use. The key you should use to encrypt your DEKs securely is your KEK.

This practice is crucial for maintaining the security of the encrypted data by minimizing the time during which the plaintext DEKs are exposed and vulnerable to unauthorized access.

Use DEKs only onceLink to this anchor

For each piece of plaintext data that you want to encrypt, you should generate a new, unique DEK, through Scaleway’s Key Manager.

Using a unique DEK for each piece of plaintext ensures that even if one DEK is compromised, it does not affect the security of other encrypted data.

Use Key Manager to encrypt your DEKs onlyLink to this anchor

While it is technically possible to encrypt and decrypt data directly in Key Manager (with a size limitation of up to 64 KB), we do not advise that you use Key Manager this way.

Instead of using Key Manager for data encryption and decryption, you should use a data encryption key (DEK).

This is recommended for two main reasons:

• Performance: Encrypting and decrypting data directly with Key Manager can be less efficient compared to using a DEK, especially for larger volumes of data.

• Economic: Scaleway charges for each operation involving KEKs. Using a DEK minimizes the number of operations you need to perform with the KEK, reducing costs.