Module 17: Encryption and Key Management
Domain 2 encryption questions go deeper than Domain 1. Here the exam tests implementation decisions: which algorithm, which key management model, which key lifecycle controls. You must connect encryption choices to data protection outcomes.
Symmetric vs. Asymmetric Encryption in Cloud
The exam expects you to understand when to use each:
Symmetric encryption (AES-256): Used for encrypting data at rest and bulk data in transit. Fast and efficient. The challenge is securely distributing the shared key. In cloud, symmetric keys are typically managed by a Key Management Service (KMS).
Asymmetric encryption (RSA, ECC): Used for key exchange, digital signatures, and authentication. Slower but solves the key distribution problem. In cloud, asymmetric encryption is used during TLS handshakes and for signing API requests.
Envelope encryption: A common cloud pattern where a data encryption key (DEK) encrypts the data, and a key encryption key (KEK) encrypts the DEK. The KEK is managed by the KMS and never leaves it. This allows efficient encryption of large datasets while keeping key management centralized.
Exam insight: Envelope encryption is the standard pattern for cloud KMS services (AWS KMS, Azure Key Vault, GCP Cloud KMS). If a question describes encrypting large datasets with a cloud KMS, envelope encryption is the underlying mechanism.
Key Management in Depth
Key Lifecycle
The exam tests the full key lifecycle: generation, distribution, storage, use, rotation, suspension, revocation, and destruction. Each phase has security implications:
- Generation: Keys must be generated using cryptographically secure random number generators. CSP KMS services use FIPS-validated hardware for key generation.
- Storage: Keys should be stored in HSMs or dedicated KMS services, never in application code, configuration files, or environment variables in plaintext.
- Rotation: Regular key rotation limits the impact of key compromise. Automatic rotation creates new keys for new data; re-encryption rotates keys on existing data.
- Destruction: Key destruction must be complete and verifiable. In cloud, this is particularly important for crypto-shredding scenarios.
Hardware Security Modules (HSMs)
HSMs provide tamper-resistant hardware for key storage and cryptographic operations. Cloud HSMs (CloudHSM, Azure Dedicated HSM) provide FIPS 140-2 Level 3 validated hardware within the cloud. The exam tests when HSMs are required: regulated industries, high-security key storage, and compliance requirements that mandate hardware-based key protection.
Encryption Implementation Patterns
Client-Side Encryption
Data is encrypted before it reaches the cloud. The customer manages keys entirely. The CSP never sees plaintext data. Maximum security but limits cloud-native functionality (search, indexing, processing).
Server-Side Encryption
The CSP encrypts data after receiving it. Keys may be provider-managed, customer-managed, or customer-provided. Enables cloud-native functionality but the CSP handles plaintext data during processing.
In-Transit Encryption
TLS 1.2 or 1.3 for all data in transit. The exam may test whether you know that TLS 1.0 and 1.1 are deprecated and should not be used. Perfect forward secrecy (PFS) ensures that compromise of long-term keys does not compromise past session data.
Key Escrow and Recovery
What happens when keys are lost? Cloud KMS services provide built-in recovery mechanisms, but BYOK requires the customer to maintain key backups. The exam tests whether you have a key recovery plan — losing encryption keys means losing access to all encrypted data permanently.
Key Takeaways
Use symmetric encryption for data at rest, asymmetric for key exchange. Envelope encryption is the cloud standard. Manage the full key lifecycle: generate securely, store in HSMs, rotate regularly, destroy completely. Client-side encryption maximizes security; server-side enables functionality. Never store keys alongside encrypted data. Key loss equals data loss — plan for recovery.