• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

Key Management Server (security)

Recommended Posts

neufuse    3,595

We are going to encryption at rest for everything, and with this our storage system wants a Key management server to store the keys on..

 

We have no experience with this, Dell is recommending Gemalto and Thales (which are apparently the same company now)

 

Anyone have any experience with these? We aren't looking at storing too many keys, maybe a few hundred at most...

 

Any idea what one of these runs price wise? Haven't a heck of a time finding pricing without talking to a sales person..

 

Any other KMS vendors out there to look at?

Share this post


Link to post
Share on other sites
DevTech    1,517
3 hours ago, neufuse said:

We are going to encryption at rest for everything, and with this our storage system wants a Key management server to store the keys on..

 

We have no experience with this, Dell is recommending Gemalto and Thales (which are apparently the same company now)

 

Anyone have any experience with these? We aren't looking at storing too many keys, maybe a few hundred at most...

 

Any idea what one of these runs price wise? Haven't a heck of a time finding pricing without talking to a sales person..

 

Any other KMS vendors out there to look at?

https://github.com/search?o=desc&p=1&q=%2Bkms&s=updated&type=Repositories

 

Which led to this fine CNCF approved product:

 

https://www.vaultproject.io

 

They have an Enterprise version of their OSS project:

 

https://www.hashicorp.com/products/vault/enterprise

 

 

Share this post


Link to post
Share on other sites
neufuse    3,595
2 hours ago, DevTech said:

https://github.com/search?o=desc&p=1&q=%2Bkms&s=updated&type=Repositories

 

Which led to this fine CNCF approved product:

 

https://www.vaultproject.io

 

They have an Enterprise version of their OSS project:

 

https://www.hashicorp.com/products/vault/enterprise

 

 

thanks, looking at this one now..

 

any others out there that anyones heart of or used?

  • Haha 1

Share this post


Link to post
Share on other sites
DevTech    1,517
7 hours ago, neufuse said:

any others out there that anyones heart of or used?

When I was poking around, I was surprised at the number of people using the specialized KMS service from AWS and Azure (Google Cloud has one too, but does not seem popular) 

 

When you think about it, encryption keys are key to all security and therefore represent a key attack vector. Once you have a security asset that is the key to everything, there is no upside to taking on that particularly tricky key responsibility. All key puns aside, in good Dilbert tradition, it appears that a huge number of people are choosing to offload the risks of managing that to a known "good" service.

 

" AWS KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect your keys." - I guess that is where the Thales stuff enters the picture...

 

AWS: https://aws.amazon.com/kms/

 

Azure: https://azure.microsoft.com/en-ca/services/key-vault/

 

Azure Key Vault KMS plugin for Kubernetes - https://github.com/Azure/kubernetes-kms

 

 

 

MongoDB docs shows how this works:

 

https://docs.atlas.mongodb.com/security-azure-kms/

 

Share this post


Link to post
Share on other sites
DevTech    1,517
8 hours ago, neufuse said:

any others out there that anyones heart of or used?

Well as you know some great people at Neowin but considering the nature of your investigation, you might want to post the question on the Spiceworks forums?

 

https://community.spiceworks.com/group?source=navbar-footer

 

Either way, please post back in the end what you find out or end up implementing. 

 

NONE of the famous "break ins" of user data in the last 30 years would have happened if large companies like Facebook who should know better had just encryped all user data and access info. Imagine an internet where there were no firewalls and hackers could look at anyones server real easy but everything they could see was a bunch of meaningless encrypted info? All those password thefts? impossible. Hillary's emails? impossible. All that Wikileaks stuff? impossible. Humans actually dying because they were exposed on dating sites? impossible.

 

Firewalls have always been a stupid example of Medieval thinking in a digital world. Erect a big castle wall around you precious data? stupid. Make your data meaningless? not stupid.

 

So finally after all these years of watching this plain as day stupidity play out, a simple phrase has managed to cut through the dim-witted thinking of I.T. brains - "Encryption at Rest" - better late than never....

 

Thanks for your post. It was a joy to see. And I normally find security stuff quite boring...

 

Share this post


Link to post
Share on other sites
neufuse    3,595
Posted (edited)

Well we talked to one of the companies (they are all merging from what we can tell) Volumetric, merged with Thales then Genalto merged with Thales...

 

well Thales wants $40,000 for a base KMS system...

 

40K......

 

They also try to claim they are the only certified KMIP1 spec providers.... I know there are others... but they are aggressively buying them up

Share this post


Link to post
Share on other sites
DevTech    1,517
On 6/14/2019 at 9:45 PM, neufuse said:

Well we talked to one of the companies (they are all merging from what we can tell) Volumetric, merged with Thales then Genalto merged with Thales...

 

well Thales wants $40,000 for a base KMS system...

 

40K......

 

They also try to claim they are the only certified KMIP1 spec providers.... I know there are others... but they are aggressively buying them up

Thanks for the update.

 

Can't you get around the custom hardware requirement by using AWS or Azure as an "anchor" for a local Hashicorp Vault or similar software?

 

Share this post


Link to post
Share on other sites
+fusi0n    1,958

I highly recommend Vault as well. 

Share this post


Link to post
Share on other sites
neufuse    3,595
Posted (edited)
5 hours ago, DevTech said:

Thanks for the update.

 

Can't you get around the custom hardware requirement by using AWS or Azure as an "anchor" for a local Hashicorp Vault or similar software?

 

Haven't gotten pricing from Hasicorp yet for their enterprise version (they don't support KMIP btw, which we do need for our san), they might not be bad for KMS for our VMware environment, not sure how well they play with our dell SAN's they should be standard compliant but who knows, some vendors like to tweak specs...

 

Dell only supports Gemalto and Thales, and you know how vendor support is.... dont do what we say then get lost when you need any help... so time for testing of more stuff

 

we are looking at Hytrust now since it does support KMIP1

Share this post


Link to post
Share on other sites
neufuse    3,595

Hytrust pricing starts at $5k a year per 5 VM's....

 

why is this stuff so expensive, it's just certificate and key management...

Share this post


Link to post
Share on other sites
neufuse    3,595
On 6/17/2019 at 8:59 AM, neufuse said:

Hytrust pricing starts at $5k a year per 5 VM's....

 

why is this stuff so expensive, it's just certificate and key management...

I need to add that if you want to use Hytrust, you need vmWare enterprise license... else you can't do the Encrypted vSAN or even vTPMs

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.