AWS KMS and Piiano Vault both provide encryption features. As most people have access to a KMS through their cloud provider, we're often asked why they should consider using Piiano Vault to encrypt their PII data.
In this post, we examine the encryption features of KMS and Piiano Vault. We show how Vault’s privacy-aware approach provides superior control and simplifies compliance with various privacy regulations and laws.
What are we talking about?
A Key Management Service (KMS) is a key encryption service used primarily to create, store, and control encryption keys. Cloud providers may then offer additional features. For example, as part of their KMS, AWS provides add-ons for:
- A limited-size blob encryption and decryption service.
- A client-side SDK that works around the size limitations of the encryption service.
Piiano Vault is a data protection service that stores or encrypts large amounts of sensitive personal data (PII, PHI, PCI, KYC, secrets, etc.), enabling compliance with standards and regulations such as PCI, CCPA, and GDPR. Vault uses AWS KMS for holding its root encryption key (KEK). Vault also offers stateless encryption APIs.
As described, a KMS and Piiano Vault offer a simple standalone REST API for a fully remote service to encrypt and decrypt your data. While a KMS is oblivious to the content of the data it encrypts, Piiano Vault focuses on semantic data types and privacy controls to assist with compliance and management of the sensitive data.
💡 This article discusses AWS KMS, but the same concepts hold true for GCP KMS and Azure Key Vault. We only reference the AWS implementation for brevity.
AWS KMS Encryption API
The AWS KMS encryption APIs provide functions to encrypt blobs and return them to applications, and decrypt ciphertext encrypted by the KMS. The encryption is done under a KMS key of your choosing.
The KMS considers all data as blobs and cannot provide any added-value services on top of that data.
Main features
- Cryptographic operations: REST APIs (and AWS SDKs) to encrypt plaintext and decrypt ciphertext.
- The plaintext is limited to 4KB.
- The KMS requires the caller application to have IAM privileges.
- The encryption request includes:
1. Encryption context: a list of non-secret key/value pairs representing additional authenticated data, which must be provided for the decryption.
2. Grant tokens: a list of grant tokens. These grant authority to other AWS roles to work with the encrypted data.
3. Key ID: the KMS ID, such as a key ARN. (e.g.arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab)
4. The plaintext: Base64-encoded binary data object limited to 4096 bytes.
💡The AWS KMS does not store encrypted data. Storing and managing the encrypted data is up to you.
Piiano Vault Encryption API
Features
Piiano Vault’s encryption APIs provide features to encrypt and decrypt data as well as easily update fields in encrypted objects. You can also obtain a hash of the source data without creating an encrypted object. In addition to these features available in the stateless version of Vault, the stateful version can also store data as you encrypt it.
Unlike a KMS, you define to Vault the schemas for the collections of sensitive data you want to encrypt. Vault is then aware of the semantic meaning of each field in the items encrypted or decrypted. On top of this, you can define identity and access management policies to control who and what can encrypt and decrypt data.
Main features
- Cryptographic operations: REST APIs (and Piiano SDKs for selected languages) to encrypt plaintext and decrypt ciphertext.
- Plaintext size is unlimited (for performance reasons, use blob types for larger records. The Vault roadmap includes support for files of many MBs).
- The encryption request includes:
1. Validation: checks the data type of input against a data schema.
2. Expiration: optionally expires encrypted content.
3. Traceability: the reason for access, which is logged.
4. Encryption type: randomized or deterministic.
5. The plaintext: base64 cipher text.
6. Scope: A friendly way to categorize and manage the data. An object encrypted with a scope can be decrypted only with the same scope.
Access to the Vault is managed through its own API keys.
Piiano Vault’s value-added services
In addition to simply encrypting a blob, Piiano Vault provides for:
- Configuring a schema for the data and validating the data being encrypted against that schema. This schema is defined using data types. Vault includes many common PII data types, along with their validators, normalizes, and transformers. You can also define custom data types.
- Configuring fine-grained field-level access control.
- Limiting access to certain fields by enabling the retrieval of a transformed value, such as the last 4 digits of a credit card.
- Auditing all access, including traceability and property-specific granularity.
- Enforcing expiration on objects and preventing their retrieval after the expiration lapses.
- Updating of a field within an encrypted data blob inside the Vault. Without this functionality, the entire blob must be brought in clear text to the application, updated there, and pushed back to the Vault. Vault’s approach avoids exposing sensitive information unrelated to the update.
- Injecting user logic for validation, transformation, and normalization using a built-in Javascript engine.
- Running as a binary or container, which is convenient for development and CI workflows. Data never leaves your cloud environment.
Piiano provides SDKs for Python, Java, and TypeScript and a command line tool. When using an ORM integration, Vault transparently encrypts and decrypts data for the objects you read and write from your database. That approach may be advantageous if you use an ORM and want to move from cleartext data to encrypted data with minimal changes to your code.
Piiano Vault versus KMS
For this comparison, we consider a system with the following characteristics:
- 1M records
- 1000 requests per second
- A small number of keys
- The region is Ohio (us-east-2)
💡AWS pricing information was taken from https://aws.amazon.com/kms/pricing/ and ours here.
Recap
AWS KMS provides a proven key management and encryption service. However, as a tool to encrypt sensitive personal data, it is limited by the size of items it can encrypt and the cost. Also, integration may require some AWS expertise from DevOps or DevSecOps teams.
Piiano Vault’s encryption APIs provide a developer-ready solution for application data encryption (using a KMS internally to store keys for root trust and adequate security). The solution is geared towards backend developers and doesn’t require the user to be AWS proficient. It can also be much cheaper for certain use cases. Piiano Vault runs on the most popular cloud providers and can be deployed in various ways to meet your needs. It also provides a totally local developer environment.
Lastly, it’s worth mentioning that Vault has a broader scope than a KMS with respect to encryption. In its stateful implementation, it stores sensitive data and generates tokens, controls the lifecycle of objects and tokens, and has more features. And, all these features are available within the same API.
It's really easy to start using our Vault, create a free trial account here.
David is a seasoned senior manager with a rich 20-year history in professional development, having worked at a broad range of companies including Intel, Check Point, EMC, and SentinelOne. He has a unique passion for the mix of managing software development teams and building cloud infrastructure.
It all begins with the cloud, where applications are accessible to everyone. Therefore, a user or an attacker makes no difference per se. Technically, encrypting all data at rest and in transit might seem like a comprehensive approach, but these methods are not enough anymore. For cloud hosted applications, data-at-rest encryption does not provide the coverage one might expect.
Senior Product Owner
