Secret encryption with Scaleway's Secret Manager

Reviewed on 23 October 2023 • Published on 20 April 2023

Secret encryption with Secret Manager

Scaleway’s Secret Manager and its underlying internal KMS work in tandem within a hierarchical key management system to provide a secure and efficient solution for managing your secrets. By organizing encryption keys in a hierarchical structure and leveraging a non-public KMS, this approach mitigates the risk of key compromise while simplifying key distribution, storage, and revocation.

Secret Manager employs a Hierarchical Key Management System (HKMS) to ensure robust security and efficient key management for sensitive customer data. This HKMS uses a non-public key management system (KMS) behind the scenes, to handle encryption and decryption tasks. The KMS is an essential component in the architecture, as it provides a robust protection and enhances the overall security of the data storage process.

Key management system organization

A hierarchical key management system organizes encryption keys into a multi-layered structure. This allows for better control, flexibility, and efficiency in key distribution, storage, and protection. This architecture is especially suitable for organizations like Scaleway, which are dedicated to protecting sensitive data and facilitating secure data exchanges.

The key hierarchy within the HKMS involves three types of encryption keys that work together to create a secure environment for data protection:

Root Encrypting Key (REK): The REK, also known as the master key, sits at the top of the key hierarchy. It is responsible for encrypting and protecting the key encrypting keys (KEKs) in the system. The REK is the most critical key, as its compromise could lead to the exposure of all other keys. Therefore, it is securely stored in an offline secure vault.
Key Encrypting Keys (KEKs): KEKs are one level below the REK and are used for encrypting and protecting data encrypting keys (DEKs). KEKs add an additional layer of security by ensuring that even if a DEK is compromised, an attacker would still need the corresponding KEK to decrypt the protected data. KEKs are safeguarded by the REK and are stored on a separate set of replicated databases, hosted on different hardware with encrypted filesystems at rest.
Data Encrypting Keys (DEKs): DEKs, the lowest level in the key hierarchy, are responsible for encrypting and decrypting the actual customer’s secrets. DEKs are encrypted by KEKs, which provides an extra layer of protection. They are stored on a separate set of replicated databases, hosted on different hardware with encrypted filesystems at rest.

Scaleway’s Secret Manager uses the internal KMS to handle the encryption and decryption of your secrets, making it an integral part of the overall security architecture. The KMS ensures that the Secret Manager has access to the necessary keys for managing customer data securely.

The advantages of this hierarchical key management system include:

Key rotation and revocation: Periodic key rotation or revocation improves overall security. If a key in the hierarchy is compromised, it can be revoked, and a new key is generated and used.
Security: The use of multiple keys enhances security, as attackers would need to compromise more than one key to access sensitive information.
Access control and auditing: Access to keys is restricted based on predefined roles or privileges, ensuring that only authorized personnel can manage keys.