简体繁体 English

AWS KMS 多区域

[英]AWS KMS Multi region

原文 2017-02-26 23:32:46 6 2 amazon-web-services/ encryption/ cryptography

Using AWS KMS Encryption SDK - MultipleProviderFactory, multiple CMKs from different region can be combined to single master key provider, the first CMK is used to generate data key, other CMKs just to encrypt the data key.使用 AWS KMS 加密 SDK - MultipleProviderFactory，可以将来自不同区域的多个 CMK 组合为单个主密钥提供商，第一个 CMK 用于生成数据密钥，其他 CMK 仅用于加密数据密钥。 This helps to decrypt using local KMS endpoint.这有助于使用本地 KMS 端点进行解密。

https://aws.amazon.com/blogs/security/how-to-use-the-new-aws-encryption-sdk-to-simplify-data-encryption-and-improve-application-availability/ https://aws.amazon.com/blogs/security/how-to-use-the-new-aws-encryption-sdk-to-simplify-data-encryption-and-improve-application-availability/

Won't it fail if Region of first CMK is down and data key is not generated as the first CMK is the one to generate data key??如果第一个 CMK 的区域关闭并且没有生成数据密钥，它会不会失败，因为第一个 CMK 是生成数据密钥的一个？？ Any solution or workaround ??任何解决方案或解决方法？

2 个解决方案

Based on answer from a different AWS forum by Greg This reply comes from the author of this blog post, Greg:基于 Greg 来自不同 AWS 论坛的回答此回复来自这篇博文的作者 Greg：

"That is correct. If the first region cannot generate the data key, or if any of the other regions cannot encrypt the data key, the encryption will fail. This was an intentional design decision because otherwise you could end up with ciphertext that is not decryptable by all of the expected keys. When decrypting, all that is required is that any one of the master keys is available and capable of decryption. “这是正确的。如果第一个区域无法生成数据密钥，或者如果任何其他区域无法对数据密钥进行加密，则加密将失败。这是一个有意的设计决策，否则您最终可能会得到不是可被所有预期的密钥解密。解密时，只需要任何一个主密钥可用且能够解密。

Greg"格雷格”

For those who are still looking for this, AWS has released multi region KMS keys.对于仍在寻找此功能的用户，AWS 已发布多区域 KMS 密钥。 Here is the news.这是新闻。

Here is the excerpt from their documentation .这是他们文档的摘录。

AWS KMS supports multi-Region keys, which are customer master keys (CMKs) in different AWS Regions that can be used interchangeably – as though you had the same key in multiple Regions. AWS KMS 支持多区域密钥，它们是不同 AWS 区域中的客户主密钥 (CMK)，可以互换使用——就好像您在多个区域拥有相同的密钥一样。 Each set of related multi-Region keys has the same key material and key ID, so you can encrypt data in one AWS Region and decrypt it in a different AWS Region without re-encrypting or making a cross-Region call to AWS KMS.每组相关的多区域密钥都具有相同的密钥材料和密钥 ID，因此您可以在一个 AWS 区域中加密数据并在不同的 AWS 区域中对其进行解密，而无需重新加密或跨区域调用 AWS KMS。