Cloud Key Management, Encryption


AWS vs Azure KMS

Deciding which cloud crypto vendor is best for you? Choosing between Amazon Web Services or Microsoft Azure is heavily debated by users. The transition toward uploading data on the public cloud is becoming the standard for organizations. The two main factors for protecting data are to protect the data from unauthorized access and to meet compliance regulations. Cloud Security must be the main priority of everyone in the organization. The use of encryption depends on the protection of the keys. Key protection and management are offered by Amazon Web Services Key Management Services (AWS KMS) and Microsoft Azure Key Vault. In today’s blog, Encryption Consulting will summarize Amazon Web Services (AWS) Key Management System (KMS) and Microsoft Azure Key Vault.

Amazon Web Services Key Management Services (AWS KMS):

AWS KMS is a managed service that is used to create and manage encryption keys. The two types of encryption keys in AWS KMS are Customer Master Keys (CMKs) and Data keys. CMKs can be used to encrypt and decrypt up to 4-kilobytes of data. Data Keys are generated, encrypted and decrypted by CMKs. The CMKs can never leave the AWS KMS. The CMKs could be customer managed or AWS managed. Data keys are used to encrypt data. AWS KMS does not store, manage or track data keys. AWS KMS cannot use data key to encrypt data for you. You have to use and manage data keys. AWS KMS uses FIPS 140-2 validated hardware security modules (HSM) and supported FIPS 140-2 validated endpoints ensuring confidentiality and integrity of your keys.

Azure Key Vault:

Microsoft Azure Key Vault is used to store secrets like tokens, passwords, certificates, and API keys. Azure Key Vault can also be used as a key management solution. Key Vault can encrypt keys and secrets in hardware security modules (HSMS). Key Vault supports RSA and Elliptic Curve keys only. Microsoft will not see your keys, but processes the keys in FIPS 140-2 Level 2 validated HSMs.

ControlAWS KMSAzure Key Vault
Symmetric KeyAES-GCM-256X
Asymmetric KeyXRSA-OAEP and RSA-PKCS #1v1.5
Bring your own key (BYOK)CMK wrapped with RSA 2048PKCS#12 or nCipher HSM
Unwrap KeyRSA-OAEP and RSA-PKCS#1v1.5RSA-OAEP and RSA-PKCS#1v1.5
SignXRSA-PSS and RSA-PKCS#1v1.5
Key Length -Symmetric KeyAES 256X
Key Length-Asymmetric KeyXRSA 2048 – 4096
Key operations per second1000 – 5500 depending on the region1000 for HSM 2000 for Software-basedCrypto

At Encryption Consulting, we are here to take care of all your encryption needs with respect to cloud key management.

Contact us at [email protected]

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Let's talk