KMS and HSM Fundamentals

SecurityKMS
Share on LinkedIn

An engineer pasted an AES-256 key into a Slack channel so staging could decrypt a database dump. The key lived in chat history, a .env file, and three laptops. Rotating it meant redeploying six services and re-encrypting a terabyte of backups over a weekend. KMS exists so that story never happens: keys stay in a vault with IAM boundaries, every use is logged, and rotation is a API call—not a scavenger hunt through config repos.

Key Management Service (KMS) and Hardware Security Modules (HSM) form the backbone of production encryption. KMS is the control plane—who can use which key, when, and from where. HSM is the trust anchor—where keys are born and where private material stays unexportable.

Key hierarchy and envelope encryption

Most applications should never hold long-lived master keys. The pattern:

  1. KMS holds a Customer Master Key (CMK) or Key Encryption Key (KEK)
  2. Application generates a random Data Encryption Key (DEK)
  3. Encrypt payload locally with DEK (AES-GCM)
  4. Call KMS to encrypt the DEK → store ciphertext + wrapped DEK together
// Conceptual flow with AWS SDK v2
val kms = KmsClient.create()
val generateResponse = kms.generateDataKey {
    it.keyId(keyArn)
    it.keySpec(DataKeySpec.AES_256)
}
val plaintextDek = generateResponse.plaintext().asByteArray()
val wrappedDek = generateResponse.ciphertextBlob().asByteArray()

try {
    val cipher = Cipher.getInstance("AES/GCM/NoPadding")
    cipher.init(Cipher.ENCRYPT_MODE, SecretKeySpec(plaintextDek, "AES"))
    val ciphertext = cipher.doFinal(userData)
    store(wrappedDek, cipher.iv, ciphertext)
} finally {
    plaintextDek.fill(0) // zeroize
}

Decrypt reverses: KMS unwraps DEK, local AES decrypts payload. Master key never touched bulk data.

Cloud KMS vs dedicated HSM

Aspect Cloud KMS (AWS, GCP, Azure) Dedicated HSM (CloudHSM, on-prem)
Operations Fully managed, API-driven You manage cluster, PKCS#11
Compliance FIPS 140-2 Level 2 typical Level 3 options for stricter regimes
Multi-tenant Shared infrastructure Single-tenant hardware
Cost model Per-request + key monthly Fixed cluster cost
Latency Low ms, regional Depends on placement

Use managed KMS for application encryption, secrets wrapping, and database TDE integration. Move to dedicated HSM when regulations require single-tenant hardware, custom key ceremonies, or PKCS#11 signing with non-exportable keys for PKI roots.

IAM, policies, and least privilege

Keys are useless without policy discipline. Grant kms:Decrypt only to the role that reads ciphertext, kms:GenerateDataKey only to writers:

{
  "Effect": "Allow",
  "Action": ["kms:GenerateDataKey", "kms:Decrypt"],
  "Resource": "arn:aws:kms:eu-west-1:123456789012:key/abc-123",
  "Condition": {
    "StringEquals": {
      "kms:EncryptionContext:service": "payments-api"
    }
  }
}

Encryption context is authenticated auxiliary data—bind ciphertext to tenant or resource ID so a stolen blob cannot decrypt under a generic grant.

Enable CloudTrail or equivalent on every Decrypt call. Alert on spikes from unexpected principals.

Rotation without downtime

Automatic CMK rotation generates new backing material while preserving decrypt of old ciphertext. Application code using keyId alias (alias/payments-master) picks up new material transparently.

For envelope-encrypted objects, each object stores which key version wrapped its DEK. Re-encryption jobs can rewrite objects with new DEKs during maintenance—prioritize high-sensitivity buckets first.

Never embed key IDs in client apps. Mobile and browser clients should not call KMS directly; use a backend that performs crypto or issue short-lived tokens.

HSM use cases beyond storage encryption

Payment networks often mandate HSMs for PIN translation and MAC generation. Application teams still interact through KMS-like APIs; only crypto officers touch physical modules.

Common mistakes

Test failure modes: KMS throttling, regional outage, expired credentials. Cache DEKs in memory with TTL for hot paths only—never persist plaintext DEKs.

Dual control for root keys

Cloud KMS automatic rotation does not replace dual-control ceremonies for root keys in regulated environments—document who can ScheduleKeyDeletion and require MFA plus ticket.

What to measure after rollout

Track error rates, tail latency, and resource utilization for two weeks after changes land—most regressions appear under real traffic mixes, not in staging smoke tests. Keep a rollback path documented: feature flags, Helm revision, or Git revert with known good digest. Review on-call pages tied to the topic quarterly; delete alerts that never fire and add thresholds that would have caught your last incident.

Run a short blameless postmortem if production surprised you, even for minor issues. The goal is updating this runbook section with one concrete lesson per quarter so the next engineer inherits context, not just configuration snippets.

Pre-production checklist

Before promoting to production, walk through this list with someone who was not the primary author—fresh eyes catch assumptions.

If any item is "we will do that later," treat it as a release blocker for tier-1 services.

Resources

Frequently asked questions

What is the difference between KMS and an HSM?

KMS is a key management service—APIs, policies, rotation schedules, and audit logs around cryptographic keys. An HSM is hardware (or cloud-backed hardware) that generates and stores keys in tamper-resistant modules where private key material never leaves the device in plaintext. Cloud KMS products often use HSMs under the hood for root keys.

Why use envelope encryption instead of encrypting data directly with KMS?

KMS encrypt/decrypt operations have latency limits and payload size caps—typically 4 KB on AWS KMS. Envelope encryption generates a data encryption key locally, encrypts bulk data with AES, and wraps the DEK with a KMS master key. You encrypt gigabytes without sending them through KMS APIs.

How often should encryption keys rotate?

Master keys in KMS often rotate automatically on a yearly cadence or on demand after compromise. Data encryption keys should be unique per object or session and discarded after use. Rotation does not require re-encrypting all historical data immediately if you version keys and retain decrypt capability for old ciphertext.

Hiring a senior Android / Flutter engineer?

I architect and ship production mobile software — Kotlin, Jetpack Compose, Flutter — for robotics, EV infrastructure, fintech, and real-time systems. Open to remote roles in Europe and the US.

Get in touch →