Domain 1: Cloud Concepts, Architecture & Design Module 8 of 70

Module 8: Cryptography and Key Management in the Cloud

CCSP Domain 1 — Cloud Concepts, Architecture & Design Section B 7 min read
Cloud cryptography questions are not about memorizing algorithms. The exam tests who controls the keys, where encryption occurs, and what happens when key management fails. If you understand key ownership, you understand cloud crypto.

Encryption in Cloud Context

Encryption in the cloud is not fundamentally different from encryption on-premises — the algorithms are the same. What changes is who manages the keys and where encryption and decryption occur. These are the questions the exam asks.

Data States and Encryption

Data at Rest

Data stored in cloud storage, databases, or file systems. Encryption at rest protects against unauthorized physical access (stolen drives) and unauthorized logical access (compromised storage accounts). The exam tests whether you know the difference between provider-managed keys, customer-managed keys, and customer-provided keys.

Data in Transit

Data moving between the customer and the cloud, or between cloud services. TLS is the standard. The exam may test whether you understand certificate management, perfect forward secrecy, and what happens when TLS terminates at a load balancer inside the CSP's network (the data may be unencrypted within the provider's internal network).

Data in Use

Data being actively processed. This is the hardest state to protect because computation typically requires plaintext data. The exam recognizes emerging solutions like homomorphic encryption (compute on encrypted data) and confidential computing (hardware-isolated enclaves). Know that homomorphic encryption is still largely impractical for complex operations, while confidential computing (Intel SGX, AMD SEV) is production-ready for certain workloads.

Exam insight: If a question asks how to protect data during processing in an untrusted cloud environment, confidential computing (hardware enclaves) is currently the most practical answer. Homomorphic encryption is theoretically stronger but not yet practical for most workloads.

Key Management Models

Provider-Managed Keys

The CSP generates, stores, and manages all encryption keys. The customer has no access to or control over keys. This is the simplest option but provides the least control. The CSP (or anyone who compromises the CSP) can decrypt the data.

Customer-Managed Keys (CMK)

The customer controls the key lifecycle through the CSP's key management service (KMS). The customer decides when keys are created, rotated, and destroyed, but the keys are stored within the CSP's infrastructure. This provides better control while maintaining integration with cloud services.

Customer-Provided Keys (Bring Your Own Key / BYOK)

The customer generates keys in their own HSM and imports them into the CSP's KMS. The customer maintains a copy outside the cloud. This provides the highest control level that most CSPs support, but the keys still exist within the CSP's memory during cryptographic operations.

Hold Your Own Key (HYOK)

The customer retains keys entirely outside the cloud. Encryption and decryption happen outside the CSP. This provides maximum security but limits cloud-native functionality — the CSP cannot index, search, or process encrypted data.

Key Management Best Practices for the Exam

  • Separation of duties: The person who manages keys should not be the person who manages encrypted data
  • Key rotation: Regular rotation limits the impact of key compromise. Know the difference between automatic rotation (new data uses new keys) and re-encryption (existing data is re-encrypted with new keys)
  • Key escrow and recovery: What happens if the key is lost? Cloud KMS solutions provide built-in recovery, but BYOK requires the customer to maintain backups
  • Hardware Security Modules (HSMs): Cloud HSMs (like AWS CloudHSM) provide FIPS 140-2/3 validated key storage. The exam tests when HSMs are required (usually for highly regulated industries)

Common Exam Traps

  • Encryption does not equal security: Poorly managed keys make encryption useless. If the exam describes encrypted data with keys stored alongside it, the encryption provides minimal protection.
  • BYOK does not mean the CSP never sees the key: During cryptographic operations, the key exists in the CSP's memory. Only HYOK truly keeps keys out of the cloud, at the cost of functionality.
  • Deleting data vs. deleting keys: In cloud environments, crypto-shredding (destroying the encryption keys) is often more reliable than trying to delete all copies of encrypted data across distributed storage.

Key Takeaways

Cloud cryptography is about key ownership and management, not algorithms. Know the four key management models (provider-managed, CMK, BYOK, HYOK) and their tradeoffs. Understand encryption across all three data states. Remember that crypto-shredding is the preferred cloud data destruction method. Key management failures make encryption worthless.

Next Module Section B Review: Architecture & Deployment