How to store and send files securely
There is now a way to safely store files in encrypted format and transmit files privately over “hostile” public internet lines.
That’s good news amidst so much bad news about websites being hacked and private credentials stolen. It is now well-known that public wi-fi enables others to listen in to what you send.
Each cloud service (AWS with Azure with GCP, etc.) has its own mechanisms.
Qwiklabs.com: Introduction to AWS Key Management Service (free) provides hands-on instructions on these procedures:
- Create an Encryption Key
- Create an S3 bucket with CloudTrail logging functions
- Use an encryption key to encrypt data stored in a S3 bucket
- Monitor encryption key usage using CloudTrail
- Manage encryption keys for users and roles
Generate secret keys using AWS KMS
The below describes the manual way using a GUI. There is also an API
PROTIP: Use a separate Data key for different datasets.
Use an internet browser to get on the AWS Management Console:
- Select your region.
Enter Key Management Service (KMS).
Notice the service is to securely ???
Private CMK (Customer Master Keys) are created in KMS and remain there.
Upon entry, there is a left menu:
- AWS-managed keys
- Customer-managed keys (symmetric or asymmetric)
- Customer key stores
“Create a key” on the splash screen can also be invoked within the “Customer managed keys” menu item.
Create a KMS key
AWS creates a Default master key that protects the data of each service (such as Cloud9) when no other key is defined.
Click “Create Key”.
Click “Advanced options” to view “Key material origin”. Read the KMS docs at
WARNING: Using AWS Cloud HSM cluster incurs an hourly fee. And AWS has no visibility or access to encryption keys in HSM.
On the configuration page, configure keys: click symmetric.
Symmetric keys are like a password, a single encryption key that is used for both encrypt and decrypt operations, 256-bit.
Asymmetric keys are RSA or elliptic curve (ECC) public/private key pairs used encrypt/decrypt or sign/verify operations
On the Add Labels page, type in an Alias and Description. Next.
PROTIP: Define aliases to differentiate keys within the account.
PROTIP: Establish a convention for naming keys for all departments, projects, etc.
Each key has an Alias and Key ID, which are GUIDs with dashes, and enabled.
On the Define key administrative permissions, select the user or role you’re signed into the Console with.
Advanced Options: Key material origins: KMS, External, Customer key store (CloudHSM):
- KMS are validated to FIPS 140-2 level 2, China region does not suppor asymmetric keys
- CloudHSM are validated to FIPS 140-2 level 3, keys and hardware exclusive to customer, either symmetric or asymmetric
Encrypt AWS Network in transit
GUI demo [3:05] AWS Networking Deep Dive: Virtual Private Cloud (VPC) 8 Aug 2019 by Ben Piper
Transport layer: Amazon S2N (Signal-to-Noise), AWS-managed VPN, AWS-client VPN, AWS VPN cloud hub, third-party VPN tunnel.
To create VPC : Customer Gateway : VPN Site-to-site IPSEC
- In AWS Console, select VPC in search bar or link.
- Customer Gateway menu, Create Customer Gateway
Type Name, Select Routing, IP Address of firewall in front of network,
You can leave blank Certificate ARN, Device.
Virtual Private Gateways on left menu. Create VPC Gateway. Type name.
Attach (explictly) in Actions drop-down.
- Site-to-Site VPN Connection in left menu to Create VPN Connection.
- Type Name tag, Virtual Private Gateway
Add Another Rule. Type IP prefix (“192.68”)
Customer Gateway and Tunnel Options can be left as is.
- Download configuration. In pop-up select Vendor (“Openwan”), Platform, Software.
Upload configuration file to firewall.
- Route Tables in left menu to Edit Routes.
- Type Destination IP & Target of on-premise network. Add route.
Generate secret key using AWS KMS
AWS KMS uses the AWS Encryption SDK of cryptographic algorithms.
CMK + Encryption algorithm yields the Plaintext key and Encrypted key.
Plaintext key + Data are fed into the Encryption algorithm yields Encrypted data.
Encrypted key + CMK fed into Decryption algorithm yields Plaintext key.
Introduction to AWS Services by the AWS Training Center Jun 9, 2019 [38:53] is highly rated introduction
More on Security
This is one of a series on Security in DevSecOps:
- Git Signing
- WebGoat known insecure PHP app and vulnerability scanners
- AWS Security (certification exam)
- Cyber Security
- Security certifications