neufuse Veteran Posted June 7, 2019 Veteran Share Posted June 7, 2019 We are going to encryption at rest for everything, and with this our storage system wants a Key management server to store the keys on.. We have no experience with this, Dell is recommending Gemalto and Thales (which are apparently the same company now) Anyone have any experience with these? We aren't looking at storing too many keys, maybe a few hundred at most... Any idea what one of these runs price wise? Haven't a heck of a time finding pricing without talking to a sales person.. Any other KMS vendors out there to look at? Link to comment Share on other sites More sharing options...
DevTech Posted June 7, 2019 Share Posted June 7, 2019 3 hours ago, neufuse said: We are going to encryption at rest for everything, and with this our storage system wants a Key management server to store the keys on.. We have no experience with this, Dell is recommending Gemalto and Thales (which are apparently the same company now) Anyone have any experience with these? We aren't looking at storing too many keys, maybe a few hundred at most... Any idea what one of these runs price wise? Haven't a heck of a time finding pricing without talking to a sales person.. Any other KMS vendors out there to look at? https://github.com/search?o=desc&p=1&q=%2Bkms&s=updated&type=Repositories Which led to this fine CNCF approved product: https://www.vaultproject.io They have an Enterprise version of their OSS project: https://www.hashicorp.com/products/vault/enterprise Link to comment Share on other sites More sharing options...
neufuse Veteran Posted June 8, 2019 Author Veteran Share Posted June 8, 2019 2 hours ago, DevTech said: https://github.com/search?o=desc&p=1&q=%2Bkms&s=updated&type=Repositories Which led to this fine CNCF approved product: https://www.vaultproject.io They have an Enterprise version of their OSS project: https://www.hashicorp.com/products/vault/enterprise thanks, looking at this one now.. any others out there that anyones heart of or used? Mindovermaster 1 Share Link to comment Share on other sites More sharing options...
DevTech Posted June 8, 2019 Share Posted June 8, 2019 7 hours ago, neufuse said: any others out there that anyones heart of or used? When I was poking around, I was surprised at the number of people using the specialized KMS service from AWS and Azure (Google Cloud has one too, but does not seem popular) When you think about it, encryption keys are key to all security and therefore represent a key attack vector. Once you have a security asset that is the key to everything, there is no upside to taking on that particularly tricky key responsibility. All key puns aside, in good Dilbert tradition, it appears that a huge number of people are choosing to offload the risks of managing that to a known "good" service. " AWS KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect your keys." - I guess that is where the Thales stuff enters the picture... AWS: https://aws.amazon.com/kms/ Azure: https://azure.microsoft.com/en-ca/services/key-vault/ Azure Key Vault KMS plugin for Kubernetes - https://github.com/Azure/kubernetes-kms MongoDB docs shows how this works: https://docs.atlas.mongodb.com/security-azure-kms/ Link to comment Share on other sites More sharing options...
DevTech Posted June 8, 2019 Share Posted June 8, 2019 8 hours ago, neufuse said: any others out there that anyones heart of or used? Well as you know some great people at Neowin but considering the nature of your investigation, you might want to post the question on the Spiceworks forums? https://community.spiceworks.com/group?source=navbar-footer Either way, please post back in the end what you find out or end up implementing. NONE of the famous "break ins" of user data in the last 30 years would have happened if large companies like Facebook who should know better had just encryped all user data and access info. Imagine an internet where there were no firewalls and hackers could look at anyones server real easy but everything they could see was a bunch of meaningless encrypted info? All those password thefts? impossible. Hillary's emails? impossible. All that Wikileaks stuff? impossible. Humans actually dying because they were exposed on dating sites? impossible. Firewalls have always been a stupid example of Medieval thinking in a digital world. Erect a big castle wall around you precious data? stupid. Make your data meaningless? not stupid. So finally after all these years of watching this plain as day stupidity play out, a simple phrase has managed to cut through the dim-witted thinking of I.T. brains - "Encryption at Rest" - better late than never.... Thanks for your post. It was a joy to see. And I normally find security stuff quite boring... Link to comment Share on other sites More sharing options...
neufuse Veteran Posted June 15, 2019 Author Veteran Share Posted June 15, 2019 (edited) Well we talked to one of the companies (they are all merging from what we can tell) Volumetric, merged with Thales then Genalto merged with Thales... well Thales wants $40,000 for a base KMS system... 40K...... They also try to claim they are the only certified KMIP1 spec providers.... I know there are others... but they are aggressively buying them up Link to comment Share on other sites More sharing options...
DevTech Posted June 17, 2019 Share Posted June 17, 2019 On 6/14/2019 at 9:45 PM, neufuse said: Well we talked to one of the companies (they are all merging from what we can tell) Volumetric, merged with Thales then Genalto merged with Thales... well Thales wants $40,000 for a base KMS system... 40K...... They also try to claim they are the only certified KMIP1 spec providers.... I know there are others... but they are aggressively buying them up Thanks for the update. Can't you get around the custom hardware requirement by using AWS or Azure as an "anchor" for a local Hashicorp Vault or similar software? Link to comment Share on other sites More sharing options...
fusi0n Posted June 17, 2019 Share Posted June 17, 2019 I highly recommend Vault as well. Link to comment Share on other sites More sharing options...
neufuse Veteran Posted June 17, 2019 Author Veteran Share Posted June 17, 2019 (edited) 5 hours ago, DevTech said: Thanks for the update. Can't you get around the custom hardware requirement by using AWS or Azure as an "anchor" for a local Hashicorp Vault or similar software? Haven't gotten pricing from Hasicorp yet for their enterprise version (they don't support KMIP btw, which we do need for our san), they might not be bad for KMS for our VMware environment, not sure how well they play with our dell SAN's they should be standard compliant but who knows, some vendors like to tweak specs... Dell only supports Gemalto and Thales, and you know how vendor support is.... dont do what we say then get lost when you need any help... so time for testing of more stuff we are looking at Hytrust now since it does support KMIP1 Link to comment Share on other sites More sharing options...
neufuse Veteran Posted June 17, 2019 Author Veteran Share Posted June 17, 2019 Hytrust pricing starts at $5k a year per 5 VM's.... why is this stuff so expensive, it's just certificate and key management... Link to comment Share on other sites More sharing options...
neufuse Veteran Posted July 11, 2019 Author Veteran Share Posted July 11, 2019 On 6/17/2019 at 8:59 AM, neufuse said: Hytrust pricing starts at $5k a year per 5 VM's.... why is this stuff so expensive, it's just certificate and key management... I need to add that if you want to use Hytrust, you need vmWare enterprise license... else you can't do the Encrypted vSAN or even vTPMs Link to comment Share on other sites More sharing options...
Recommended Posts