KMS allows you to safely store encrypted secrets in git, in a way where the decryption keys won't leak, you can control access to the encrypted secrets at a granular level and revoke access without needing to make any changes to the encrypted files. Give me a concrete example of a problem KMS solves/benefit to using KMS: Increased auditability and control over access to encrypted data.KMS shifts the problem of controlling access to encrypted data from a decryption key management problem (where granular access and ability to revoke access were impossible) to an identity and access management problem (where ACLs can be used to easily manage access, grant granular access, and revoke access.).KMS's are cheap and easy to use because they have API endpoints. KMS prevents the leaking of decryption keys, similar to a HSM, but HSM's are expensive and hard to use.Building your own logging and audit infrastructure for key usage is normally non trivial, but it comes out of the box with most Cloud KMS. Probably the biggest advantage of a Cloud KMS though is logging and auditing. Some KMS solutions allow you to import your own key, which can reduce your surface, but brings you back into having to protect your master key and since most Cloud HSM don't specify the encryption parameters and algorithms in a vendor neutral term, you still can't easily decrypt your data even if you have a copy of your imported master key. It makes it really hard to switch cloud provider as you can't easily move your data without also decrypting everything first. So these decisions are made for you so you can't accidentally configure weak encryption parameters.Īlso note though, that the cynical part of you should also notice that the pronunciation of "Cloud KMS" is very similar to "vendor lock in". They can also manage the choices of encryption algorithm, and the mechanism for upgrading algorithm choice. It makes managing encryption keys simpler because there's nothing you can do that can allow you to leak the master key. KMS allows you to encrypt/decrypt data without ever seeing your master keys. I need to know a concrete, relatable problem, that KMS helps me solve.
Whenever I've tried to look deeper I'd either find nothing, or explanations that would go over my head.
(buzz words you can say about any product aka meaningless for an Is this some product that's only meant for huge organizations?) I can't think of a scenario where I'd be using so many encryption keys that I'd need help managing them. but what does that actually mean? I'm not even sure if I have any keys I need to manage. KMS: Key Management System, we help you centrally manage your encryption keys. I'd never get any useful information out of the official docs, I'd get: Whenever I've tried to read the official docs What is Cloud KMS? What's it's purpose/benefit of KMS? Is there a concrete example of a problem I solve using it? How does it work? How do I use it? (AWS KMS, GCP KMS, Azure Key Vault)