Client-Side Encryption

FIPS140-3 grade security with Software-defined simplicity

How to stop data breach on AWS S3

DuoKey for AWS S3

Client-side encryption is the act of encrypting data before sending it to Amazon S3. To enable client-side encryption, DuoKey generate a CMK within your application on client-side, AWS has no access to any encryption keys.

 

Protect your AWS S3 Bucket

Keep your keys safe

With DuoKey for AWS S3, our plugin works by keeping a master key inside the MPC node and use this to derive a unique key for each object in a bucket. The software running on the client will have access to these object-specific keys, but never the master key which never leaves the MPC node.

Use your own CMK

To access the content you must have the CMK generated using DuoKey MPC. The customer key is managed using our DKMAAS with MPC. Since one key is always in your control, AWS never has access to your data. When uploading an object — You provide a client-side master key to the Amazon S3 encryption client. The client uses the master key only to encrypt the data encryption key that it generates randomly.

Safe protection

Experts agree that end-to-end encryption can reduce the risk of unauthorized data access and meet certain compliance and data residency requirements. DuoKey takes a complementary approach to encryption, both using encryption keys controlled by the customer and performing the encryption at the endpoint.

Client-Side Encryption

Client-side encryption is the act of encrypting data before sending it to Amazon S3. To enable client-side encryption, DuoKey generates a master key that you store within your application. AWS cannot access your keys.

How to use AWS S3 Client-Side Encryption

Prepare an AWS bucket with a number of different objects

Generate a CMK master key stored inside the DuoKey MPC node

Generate a object specific key for each object and a nonce

Then encrypt and decrypt data the AWS S3 SDK is given a handle to call the DuoKey MPC