AWS KMS Vs Azure Key Vault Vs GCP KMS

Read Time: 7 min

IT world across the globe has been dominated by the news of global data breaches and cloud data leaks. From the accidental sensitive data disclosure to stolen card data across the board, it appears that the trend will continue and nobody is sure how safe their data is especially in the cloud. 

Due to this, we saw a continuous uptrend in the usage of encryption technology in every organization’s IT department because it provides a safety layer to the company’s critical data and makes it unusable for anyone who doesn’t have the associated key be it internal or external bad actor.

Based on the industry experience, we can simply say that the security provided by any crypto entity doesn’t depend much on the cipher mechanism used in the entity but surely depends upon the security of the associated keys. You can use any cipher with good key length but that doesn’t guarantee the protection unless keys are secured. When it comes to managing a single security key manually, it is relatively easy, however, if the number of security keys in use is huge, the task of managing those keys becomes cumbersome. Thus, the need arises for automated key management services for data encryption.

Now, the key management service for any crypto system can be considered as managing the complete lifecycle of keys including generation, storage, activation, distribution, rotation, expiration, revocation, and destruction.

We can classify the key management systems under three broad categories:

• Software-based KMS

  Software-based KMS can be considered as standalone software installed in a physical or virtual environment. From a cost perspective, software-based KMS solutions are cheaper and easy to install as compared to hardware-based KMS solutions.

• Hardware-based KMS

  Hardware-based KMS can be considered as a specialized, tamper-proof hardware appliance built for cryptographic operations or key management and known as Hardware Security Module i.e., HSM. HSM can be integrated with Software-based KMS or KMS software can be embedded into the HSM as well.

• Cloud-based KMS

  Cloud-based KMS can be considered as a service offering from cloud service providers. All three biggest CSPs (AWS, Azure, and GCP) provide KMS as a managed service with a pay-as-you-go model which means that the customer doesn’t have to manage the underlying software/hardware. Also, other services within the CSPs environment are seamlessly integrated with their KMS services.

Now, since we have discussed the types of KMS in general, deciding which cloud-based KMS vendor is best for you is the next obvious question. 

Choosing among three CSPs (Amazon Web Services, Microsoft Azure, or Google Cloud Platform) is heavily debated by users. The transition towards uploading data on the public cloud is becoming the standard for organizations. The two main factors for protecting data are to protect the data from unauthorized access and to meet compliance regulations. Cloud Security must be the main priority of everyone in the organization. In the next section, we will summarize our comparison among three biggies of the cloud computing world: 

1. Amazon Web Services (AWS) Key Management System (KMS)
2. Microsoft Azure Key Vault
3. Google Cloud Platform (GCP) Key Management System (KMS)

AWS Key Management Service (KMS)

AWS KMS is a managed service that is used to create and manage encryption keys. The two types of encryption keys in AWS KMS are Customer Master Keys (CMKs) and Data keys. CMKs can be used to encrypt and decrypt up to 4-kilobytes of data whereas data Keys are generated, encrypted, and decrypted by CMKs. The CMKs can never leave the AWS KMS and keys created by the AWS KMS service are never sent outside of the AWS region in which they were created and can only be used in the region in which they were created. The CMKs could be customer-managed or AWS-managed. CMKs are used to encrypt/decrypt the data keys whereas data keys are used to encrypt/decrypt the actual customer data. AWS KMS does not store, manage or track data keys.

AWS KMS cannot use the data key to encrypt/decrypt data for you. Users have to use and manage data keys on their own. By default, AWS KMS uses FIPS 140-2 validated hardware security modules (HSM) and supported FIPS 140-2 validated endpoints ensuring confidentiality and integrity of your keys.

Microsoft Azure Key Vault

Microsoft Azure Key Vault is used to store secrets like tokens, passwords, certificates, and API keys. Azure Key Vault can also be used as a key management solution. Key Vault can encrypt keys and secrets in hardware security modules (HSMS). Key Vault supports RSA and Elliptic Curve keys only. Microsoft will not see your keys, but processes the keys in FIPS 140-2 Level 2 validated HSMs.

GCP Key Management Service

Google Cloud Key Management Service (KMS) is an encryption key management offering from Google Cloud that is used to implement cryptographic functions for enterprises. Google Cloud KMS uses AES 256-bit key to protect the data and can also be used to manage the keys encrypting other types of sensitive data such as API tokens, user credentials, etc. Google provides Google Cloud KMS service via REST APIs so that users can create, list, update and destroy the keys that help in managing a large number of keys specifically for enterprises that span across the globe. It also provides AES keys in a five-level hierarchy with a 24-hour delay in key deletion action.

The below table provides a summarized view of comparison among AWS KMS, Azure Key Vault, and Google Cloud KMS Services categorized on the features of the service:

#	Feature	AWS KMS	Azure Key Vault	Google Cloud KMS
1	Key Storage	Appliance (Software + Hardware)	Appliance* (Software)	Appliance (Software + Hardware)
2	FIPS 140-2 Level	Level 2	Level 2	Level 1
3	Key Types	Symmetric and Asymmetric	Asymmetric	Symmetric and Asymmetric
4	BYOK (Bring Your Own Key)	AES 256-bit wrapped by RSA 2048-bit	RSA wrapped by AES and RSA-OAEP	AES 256-bit wrapped by RSA 3072-bit
5	Symmetric Key Length	256-bit AES	None	256-bit AES
6	Asymmetric Key Length	2048-bit, 3072-bit, 4096-bit RSA	2048-bit, 3072-bit, 4096-bit RSA	2048-bit, 3072-bit, 4096-bit RSA
7	Encryption Modes	AES-GCM, RSA-OAEP	AES-GCM, RSA-OAEP	RSA PKCS#1v1.5, RSA-OAEP
8	Plain-text size limit	4KB	0.25KB	64KB
9	Signature Modes	RSA-PSS RSA PKCS#1v1.5 ECDSA with P-256 ECDSA with P-384 ECDSA with P-512 ECDSA with SECP-256k1	RSA-PSS RSA PKCS#1v1.5 ECDSA with P-256 ECDSA with P-384 ECDSA with P-512 ECDSA with SECP-256k1	RSA-PSS RSA PKCS#1v1.5 ECDSA with P-256 ECDSA with P-384
10	Key Capabilities	AWS Managed Service Encryption/Decryption Sign/Verify Auditing REST APIs	Support Customer Managed Keys Support tokens, passwords, certificates, API keys, and other secrets Encryption/Decryption Sign/Verify Key Vault logging REST APIs	Support Customer Managed Keys Encryption/Decryption Sign/Verify Auditing REST APIs

*Azure Key vault integration with Azure’s Managed HSM is in public preview and might be available sometime in future.

Conclusion

The continuous uptrend in encryption technology prompts the requirement of managing more and more keys that force enterprises to use automated key management systems to manage the high numbers of keys with efficiency. Considering the high demand for key management systems, the three biggest CSPs (Cloud Service Provider) are in cut-throat competition to add more and more features to their KMS services in their environment; however, it often becomes confusing with the limited documentation. Encryption Consulting helps customers get familiarized with the latest & advanced security features, tools, documentation and assists them in harnessing the true value for their organization while deploying them within their environment, keeping the organization’s business objective intact.