We recommend using the keys you store in Key Manager as key encryption keys (KEK), and use them to encrypt and decrypt your data encryption keys (DEK). We do not recommend storing your data encryption keys in Key Manager.
Unlike key encryption keys (KEK), which cannot be accessed, you can use data encryption keys (DEK) to encrypt your data. You can also use data encryption keys outside of Scaleway Key Manager.
The main benefit of using DEKs is that you do not have to re-encrypt your data at each rotation performed in Key Manager. Only the DEK needs to be re-encrypted with a new KEK.
By rotating solely the KEK, the security of data-at-rest is reinforced without needing heavy encryption operations.
When Key Manager generates data encryption keys, a plaintext version of your key is returned for immediate use, and a ciphertext, which is an encrypted copy of the data encryption key, that you can safely store.
Important
Never store your data encryption key’s plaintext. When you want to decrypt your data, you need to go through Key Manager to decrypt the encrypted DEK. Find out how to decrypt your data with Tink.
While Scaleway Key Manager is responsible for generating, encrypting, and decrypting data encryption keys, it does not store, manage, or monitor them, nor does it engage in cryptographic operations with these keys. You must use and manage data encryption keys outside of Scaleway’s Key Manager.
Plaintext refers to data in its original, readable form, such as a message, document, or file, that has not been encrypted.
It is the information as it appears before any encryption process or after decryption.
Ciphertext is the result of applying an encryption algorithm to plaintext. It is the scrambled, unreadable version of the data that is secure from unauthorized access.
While plaintext can be understood directly by humans or computers, ciphertext requires a decryption key to convert it back into plaintext. This transformation between plaintext and ciphertext ensures the confidentiality of information during storage or transmission, protecting it from being intercepted or read by unauthorized parties.
Key Manager allows you to create and manage the complete lifecycle of your keys. Below are all the ways you can use Key Manager to manage your data.
Create a key: You must specify a key usage, which defines the purpose of the key (encryption, signing, etc.) and which encryption algorithm will be used to derive the key.
Upon key creation, Key Manager automatically creates a first key version.
Retrieve a key: Retrieving a key only returns the metadata associated with the key, not the key versions.
List keys: You can retrieve a subset of your keys according to filters such as “name”, “description”, “tags”, etc.
Update a key: You can update the key’s name, description or tags at any time.
Enable and disable key protection: Enabling key protection prevents accidental deletion of a key. You must disable key protection before deleting a key to which key protection is applied.
Rotate a key: Rotating a key creates a new key version and makes all previous versions obsolete.
Delete a key: Deleting a key also deletes all its versions. All data encrypted using the key, including data encryption keys, will become unusable.
The key usage specifies the encryption algorithm used to create subsequent key versions, and the scope of cryptographic operations supported by the key.
Keys with a key usage set to symmetric_encryption are used to encrypt and decrypt data.
Key Manager generates a 256-bit key using a cryptographically secure random number generator that draws entropy from the /dev/urandom source. This key is then used in a key derivation algorithm to generate a new key version.
For encryption, Key Manager uses the Galois/Counter Mode (GCM), which is a mode of operation for block ciphers, with a block size of 128 bits. GCM encrypts your plaintext data using AES, and authenticates it using a unique “tag”. This means that if anyone tampers with your data, you will know because the tag will not match anymore.
Thank you for the feedback!
Your opinion helps us make a better documentation.