Thillai Sakthi wrote:I have a question on Key management service (KMS). I was thinking of using KMS for encrypting data for real time transactions. My idea was to create a Customer Master Key once and then for every transaction request a data key from KMS to encrypt the pay load. But surprisingly there are limits to such request (http://docs.aws.amazon.com/kms/latest/developerguide/limits.html). As my real time service will easily exceed 100 TPS, I cannot use KMS. Any idea how I can work around this limitation ?
Is there any reason you feel you need this? AFAIR, ssh changes symmetric keys automatically after a certain period (or volume; possibly both) and, from what I understand, the protocol is proportional to unencrypted speeds (ie, it doesn't add significant payload weight) - but I could be wrong.
I'm also not exactly sure what your primary concern is here - security or throughput?
Andreas Wittig wrote:As far as I understand your use case, KMS is not the solution to your problem. KMS is focusing on data at rest. So I guess you need to search for an alternative here.
Respectfully disagree. As per KMS documentation, they have 2 use cases - one for envelope encryption and this is for real time transaction use case. The other one is the encryption of data at rest.
Thillai Sakthi wrote:Respectfully disagree. As per KMS documentation, they have 2 use cases - one for envelope encryption and this is for real time transaction use case. The other one is the encryption of data at rest.
Good point, thanks for correcting me. Haven't looked into envelope encryption so far.
Thillai Sakthi wrote:My primary concern is throughput.
I presume then that this stream/pipe is "zipped" in some way. Depending on what you're sending - which you didn't mention - this could increase throughput significantly. It may even be part of some encryption protocols (it's been a long time since I was involved with that stuff).
But that about the limit of my knowledge I'm afraid.
Here are a couple things to consider:
1. Any reason you can't have more than one CMK? Perhaps you could meter requests based on the ID ranges of the clients?
2. If a single CMK is mandatory, you can ask AWS to increase your request-per-second limit (not sure what costs may come into play)
Best of luck!