AWS adds bring your own key crypto to its cloudy S3 storage

Amazon Web Services (AWS) has added bring-your-own-key (BYOK) encryption to its Simple Storage Service (S3).

AWS points out that BYOK comes with some complexity. “... it is up to you to manage your encryption keys and to make sure that you know which keys were used to encrypt each object,” writes the company's omni-blogger Jeff Barr. “If you enable S3’s versioning feature and store multiple versions of an object, you are responsible for tracking the relationship between objects, object versions, and keys so that you can supply the proper key when the time comes to decrypt a particular version of an object.”

Which sounds decidedly non-trivial.

AWS does, however, provide a key management system in its cloud.

BYOK for S3 will, for some users, be a comfort because one concern about the public cloud is that it will either become subject to government-mandated back doors or targeted by security agencies keen to ensure they can access obvious targets. BYOK and self-managed keys will make security agencies' jobs rather trickier and may also make cloud storage more palatable for the paranoid.

Governments? They probably don't like this. But what's a democracy to do when a company offers its customers choice?

AWS has also made its encryption free and pledges “no observable effect” on performance. ®