Encryption in the Cloud
Encryption transforms readable data into ciphertext, making it useless without the right key. In cloud computing, encryption is everywhere β at rest, in transit, and sometimes in use. It's the single most important control for protecting data.
Encryption at Rest vs In Transit
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ENCRYPTION OVERVIEW β
β β
β DATA AT REST DATA IN TRANSIT β
β ββββββββββββββββ ββββββββββββββββ β
β β Stored on β β Moving β β
β β disk, S3, β β across β β
β β database β β network β β
β ββββββββ¬ββββββββ ββββββββ¬ββββββββ β
β β β β
β βΌ βΌ β
β ββββββββββββββββ ββββββββββββββββ β
β β AES-256 β β TLS 1.2/1.3 β β
β β Server-Side β β HTTPS, VPN β β
β β Encryption β β IPSec β β
β β (SSE-S3, β β β β
β β SSE-KMS, β β Certificatesβ β
β β SSE-C) β β & Keys β β
β ββββββββββββββββ ββββββββββββββββ β
β β
β DATA IN USE (Advanced) β
β ββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Confidential Computing β β
β β Encrypted memory, secure enclaves β β
β β (AWS Nitro Enclaves, Azure Confidential) β β
β ββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Key Management Service (KMS)
KMS is a managed service for creating and controlling encryption keys. Instead of managing keys yourself, the cloud provider handles the hard part β key storage, rotation, and auditing. You just tell it what to encrypt and who can use the key.
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β KMS WORKFLOW β
β β
β βββββββββββββ βββββββββββββ β
β β Your App βββββΆβ KMS β β
β β β β β β
β β "Encrypt β β Master Keyβ β
β β this β β (CMK) β β
β β data" β β β β
β βββββββββββββ βββββββ¬ββββββ β
β β β
β ββββββββββββ΄βββββββββββ β
β βΌ βΌ β
β ββββββββββββββββ ββββββββββββββββ β
β β Data Key β β Encrypted β β
β β (DEK) β β Output β β
β β generated β β returned β β
β ββββββββ¬ββββββββ ββββββββββββββββ β
β β β
β βΌ β
β ββββββββββββββββββββ β
β β Encrypt data β β
β β with DEK β β
β β Store DEK β β
β β alongside data β β
β ββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
TLS/SSL for Secure Communication
TLS (Transport Layer Security) encrypts data moving between clients and servers. When you see HTTPS in the browser, that's TLS at work. In the cloud, you'll use TLS for API calls, load balancers, and service-to-service communication.
Client Server
β β
βββββ ClientHello βββββββββββΆβ "I support TLS 1.3"
β β
βββββ ServerHello ββββββββββββ "Let's use AES-256-GCM"
βββββ Certificate ββββββββββββ "Here's my identity"
βββββ Key Exchange ββββββββββΆβ "Shared secret"
β β
βββββ Encrypted Traffic ββββββΆβ All data now encrypted
Key Management Strategies
ββββββββββββββββββββββββββββββββββββββββββββββββββ
β KEY MANAGEMENT OPTIONS β
β β
β Cloud-Managed Customer-Managed β
β ββββββββββββββββ ββββββββββββββββ β
β β AWS S3 SSE-S3β β AWS KMS CMK β β
β β AWS handles β β You control β β
β β everything β β rotation, β β
β β β β policies, β β
β β Easiest but β β access β β
β β least controlβ β β β
β ββββββββββββββββ ββββββββββββββββ β
β β
β Bring Your Own Key Cloud HSM β
β ββββββββββββββββ ββββββββββββββββ β
β β Import your β β Dedicated β β
β β own keys β β hardware β β
β β into cloud β β security β β
β β KMS β β module β β
β β β β β β
β β Maximum β β FIPS 140-2 β β
β β control β β Level 3 β β
β ββββββββββββββββ ββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββ
Encryption Best Practices
1. Enable default encryption on all storage (S3, EBS, RDS)
Never rely on application-level encryption alone.
2. Use customer-managed keys (CMK) for sensitive data
Gives you control over who can decrypt and when.
3. Rotate keys regularly
Most KMS services support automatic annual rotation.
4. Separate keys from data
Store encrypted DEKs with data, keep CMK in KMS only.
5. Enable key usage logging
CloudTrail tracks every encrypt/decrypt call.
6. Use envelope encryption
Encrypt data with a DEK, encrypt the DEK with CMK.
Faster for large datasets.