Bring your own key for server-side encryption at rest

Edit online

You can bring your own key to protect your data in storage attached to your AoC organization. This article describes how to bring your own key by integrating your key-management service (KMS) with AoC.

When you apply Aspera's server-side encryption at rest (SSEAR), you can choose either of two key-management strategies. You can use Aspera's native key-management function, or you can manage your own key by integrating a key-management service with AoC. In both cases, Aspera protects your data using a two-tier, AES-based encryption hierarchy.

When you bring your own key, it remains under your independent management the entire time. You use your KMS to protect and control your key, perform key rotation, key deletion, all other key-management functions. Your own key is never accessible to Aspera.

To bring your own key, you integrate your KMS with AoC by creating a KMS profile in AoC. Then you associate the profile with a node attached to your AoC organization.

Envelope encryption

Edit online

Aspera SSEAR uses envelope encryption to protect your content. Envelope encryption is the practice of encrypting data with a data encryption key, and then encrypting the data encryption key with a highly secure key-wrapping key.

The key you bring is key-wrapping key, also called the root key. The root key is independently managed by you using your KMS. The root key is never available to or under the control of Aspera.

When you apply envelope encryption using your own key, Aspera stores your encrypted data and the encrypted DEK in your cloud storage. Aspera never stores unencrypted DEKs and never has access to your root key in your KMS.

This double-encryption model combines the strengths of the AES algorithm with the inherent separation of key-management roles required for high-quality security.

This diagram shows the process of envelope encryption. A digital encryption key, or DEK, encrypts customer data. A root or wrapper key encrypts the DEK. The root key is independently managed by the KMS, and is never available to or under control of AoC.

Using Your KMS with Aspera on Cloud

Edit online

You can integrate your IBM Key Protect key-management service with Aspera on Cloud so that you can "bring your own key" for envelope encryption.

The following drawing is a schematic representation of the AoC/KMS integration architecture integration with IBM Key Protect.

This diagram shows the AoC/KMS integration architecture. It shows that the AoC backend interacts with ATS. Within ATS, the key-management service (KMS) integration service interacts with the Aspera High-Speed Transfer server and the user's cloud storage. ATS interacts with the IBM Key Protect KMS in the IBM Cloud.

The new Aspera KMS integration service interacts with both the AoC backend and the HST server in the Aspera-managed auto-scale cluster (ATS). It also interacts with your IBM Key Protect account using your IBM IAM with a service ID API key in the IBM Cloud. The following drawings show the upload and download workflows, illustrating the specific interactions among all these elements.

This drawing shows the end-to-end upload workflow.

This diagram shows the AoC/KMS integration with an upload flow overlay, helping to clarify the encryption process when an AoC user uploads content to an encrypted node.

The download workflow reverses the process, as shown in the next diagram.

This diagram shows the AoC/KMS integration with a download flow overlay, helping to clarify the decryption process when an AoC user downloads content from an encrypted node

Implementation notes

Edit online
  • Supported KMS: IBM Key Protect.
  • Support for KMS key rotation.
  • Supported storage types:
  • Supported Aspera node type: Aspera-managed auto-scale clusters (ATS).
  • You can apply Aspera SSEAR in addition to or instead of encryption options offered by your cloud provider.
  • You can enable encryption only on nodes that are not configured for watermarking. This applies to both Aspera SSEAR and cloud-provider encryption. See this article for details.

Prerequisites

Edit online
  • IBM Key Protect instance. Set the "Allowed network policy" to public-and-private (this is the default setting).
  • IBM IAM authentication using Service ID API Key.

KMS provider specifications

Edit online
To complete this task, you need the following information from your IBM Key Protect account.
Value Definition Example
KMS endpoint The Key Protect service endpoint. The API endpoint to use when you connect to the Key Protect API. https://us-east.kms.cloud.ibm.com
Key Protect Instance ID The unique identifier assigned to your Key Protect service instance. ra385699-3d6f-47d4-8239-56b7890e5f73
Root key ID The unique identifier for the root key to use for encrypting and decrypting (wrapping and unwrapping) the DEK. 41aed334-923f-4b6d-8d67-13e1f6c019b3
API key The key that AoC submits to Key Protect to be authenticated and be granted access.
Aspera recommends that you use Service ID API keys. Aspera also supports User API keys.
 8uEy9TUDVtUHuUGXpsMlpTb4rp8B_ZEfjU28ujik_nyw

Procedures

Edit online

To encrypt content using the root key in your KMS you must create at least one AoC KMS profile. Then you must associate the profile with a node attached to your organization. You can associate a profile with an existing attached node as long as you have not previously applied Aspera encryption-at-rest to it. You can also associate a profile with a new node during node creation.

KMS profile configuration notes
  • Give each profile a unique name.
  • You can associate any given profile with multiple nodes. Any given node can have only one KMS profile associated with it.
  • You can update an existing profile by changing the profile name and API key, but you cannot update other profile settings.
  • To protect your access to existing encrypted data, you cannot delete a KMS profile if you have associated it with any nodes. You must first delete the associated nodes. Then you can delete the profile. Right-click a profile row and select Delete.

To complete this procedure on an existing attached node, you need the access key secret. You can also create a new access key. See

  1. Create a KMS profile.
    1. Go to Admin > Integrations > Third-party > Key-management services.
    2. Click Create new to open the Key-management service profile page.
    3. Give this profile a unique name.
    4. Select your KMS provider.
    5. Enter the required data into the form, according to the specifications of your KMS provider.
    6. Click Save.
  2. Apply the KMS profile to the node to encrypt.
    1. Go to Admin > Nodes and storage > Nodes.
    2. Select the intended node by clicking the node row.
    3. Enter the access key secret and click Log in.
    4. In the Details tab, go to Aspera encryption at rest.
    5. In the Key-management method field, select Use my Key-management service.
    6. In the following field, select the KMS profile to apply.
    7. Click Save.
Once you complete these procedures successfully, all data you upload to this node will be protected using envelope encryption.
Note: Once you apply encryption at rest, you cannot remove or change it.
Note: Encryption applies only to new data that you upload after you apply encryption. Data that exists on the node before you encrypt remains unencrypted.