+1.800.357.1019

+1.800.357.1019

Feel free to call us toll free at +1.800.357.1019.

If you are in the area you can reach us at +1.360.359.4400.

Standard support
6:30am - 4:00pm PST, Monday - Friday, Free

Premium support
If you own Townsend Security 24x7 support and
have a production down issue outside normal
business hours, please call +1.800.349.0711
and the on-call person will be notified.

International customers, please dial +1.757.278.1926.

Townsend Security Data Privacy Blog

Notice to Alliance Key Management users in AWS

Posted by Luke Probasco on Oct 11, 2018 11:36:59 AM

This week Amazon Web Services sent an email to our AWS customers informing them that Alliance Key Manager was no longer available in the AWS Marketplace. This email message was inaccurate and misleading. Townsend Security is committed to providing dedicated, compliant key management solutions to AWS customers, as well as to other cloud platform customers, and continues to make our solution available on the AWS Marketplace.

This is from the email message sent by Amazon:

We are writing to inform you that, as of 10 October 2018, Townsend Security will no longer offer "Alliance Key Manager for AWS" to new subscribers on AWS Marketplace.”

In fact, Townsend Security posted a new version of Alliance Key Manager on AWS this week, and withdrew the older version. The withdrawn version is Alliance Key Manager version 4.5. The new version is Alliance Key Manager version 4.6, which adds new support for VMware vSphere and vSAN encryption key management. You can find the current version of Alliance Key Manager in the AWS Marketplace here:

Both versions of Alliance Key Manager remain under full software support and maintenance. You can upgrade to the new version if and when you wish to.

Please be aware that Amazon prevents us from knowing your customer details when you use the fee-based offering on AWS. Unless you register with us we won’'t be able to inform you if we have important updates and security patches. If you are an Alliance Key Manager customer on AWS, please register with us here.

Our goal is to provide you with the best key management and encryption solutions on the AWS platform. You always have exclusive control of your encryption keys and – neither Amazon nor Townsend Security can manage or access your keys.

If you have any questions please contact us here.

Townsend Security

Encryption Key Management AWS

Topics: Alliance Key Manager, Amazon Web Services (AWS)

Townsend Security Extends Alliance Key Manager to Support vSphere Encryption of VM Images and vSAN

Posted by Luke Probasco on Sep 14, 2018 8:06:28 AM

VMware users can now protect VM Images and vSAN with with Alliance Key Manager, Townsend Security’s FIPS 140-2 compliant encryption key manager.

New Call-to-actionTownsend Security is excited to announce that its new version of Alliance Key Manager fully supports VMware vSphere encryption for both VMware virtual machines (VMs) and for VMware Virtual Disk (vDisk). VMware users have been using Alliance Key Manager to protect data in application databases and applications to meet PCI DSS, GDPR, HIPAA compliance as well as other data privacy regulations. Now VMware users can use the same Alliance Key Manager solution with vSphere to protect virtual machines and virtual disks. Townsend Security is a VMware Technology Alliance Partner (TAP) and Alliance Key Manager for VMware has achieved VMware Ready status.  

“Our customers have been using Alliance Key Manager to protect data in Microsoft SQL Server, MongoDB and other environments for many years. Now VMware users can have confidence that Alliance Key Manager can also protect VMware virtual machines and virtual disk to achieve the highest level of data-at-rest protection,” said Patrick Townsend, CEO of Townsend Security. “VMware users are looking for certified solutions that support their complex Windows and Linux environments without the need to deploy additional hardware-based HSMs. We are happy to announce this extension of our key management solution to help VMware vSphere users achieve a high level of data protection.”

VMware users are looking for affordable solutions that provably meet compliance regulations and which fit their budget and deployment goals. Alliance Key Manager meets this goal by providing NIST FIPS 140-2 compliance, PCI-DSS certification, and Key Management Interoperability Protocol (KMIP) compliance out of the box. Existing Alliance Key Manager customers can upgrade at no cost to extend their data protection compliance requirements to vSphere. New customers can deploy Alliance Key Manager without the fear of increased, unplanned licensing costs in the future.

In addition to PCI DSS, compliance regulations such as the European Union General Data Protection Regulation (GDPR), the HIPAA data security regulation, and many other data protection regulations, require the encryption of data at rest. Alliance Key Manager combined with vSphere encryption are the protection methods  to help you meet these regulatory requirements. “Don’t be fooled by vague language in the GDPR regulation. You must act to protect sensitive information of individuals in order to meet this regulatory requirement. You should act now to protect your organization,” said Townsend.

Alliance Key Manager for VMware is available for a free 30-day evaluation.

VMware Encryption eBook

Topics: Alliance Key Manager, Press Release, VMware

Key Management System (KMS) LIcensing - There Has to Be a Better Way

Posted by Patrick Townsend on Aug 20, 2018 10:27:50 AM

Take a little imaginary trip with me.

You want to buy a new car and you are dreaming of all of the great places you can go and hikes you can take. You’ve done your research, you’ve identified a favorite model, you know the mileage and quality ratings, and you’ve made up you mind! That dream car is going to be yours.

eBook: Definitive Guide to Encryption Key ManagementYou spend the obligatory two hours at the dealer and drive away with your dream vehicle. You drive it home and park it in the driveway.

Time to head out to your first destination! You pile your hiking gear into the car and head for the Appalachians for your first hike.

Suddenly, your car stops dead in the road and says “Sorry, you need to pay for this destination. It is not a part of your original car purchase plan. That will be an extra $5,000 please. Credit cards accepted!”

WTF?

You didn’t read the fine print. This car purchase plan only includes 5 destinations and the Appalachians aren’t in the plan. Each new destination is going to cost you a bundle.

Welcome to Key Management System licensing.

Most Enterprise Key Management Systems (KMS) work with this licensing model. You will usually find that you need to license each end-point that connects to the key manager. One end-point may be included in the KMS pricing, but you need to purchase additional “license packs” to attach additional systems. Or, you find that your KMS only supports a limited number of encryption keys. As soon as you roll your keys to meet compliance requirements, it is suddenly time to purchase capacity for more keys! Or, for that new encryption project, you may find that you need to purchase new software to enable encryption for that environment.

And it can get really bad when you discover that the KMS system comes in different hardware models and you suddenly need to purchase an entirely different hardware model and do full replacements. That’s painful.

This typical KMS licensing model works really well for the companies that sell them. For companies who need to deploy encryption?

Not so much …

It means going to management for new budget approval every time you want to extend your security through better encryption. Over time this can add up to hundreds of thousands or even millions of dollars in new license and maintenance fees.

There has to be a better way, right?

There is. Here at Townsend Security we do things differently with our Alliance Key Manager licensing. You purchase the KMS platform of your choice and use it the way you want. It is that simple. From that point on:

  • We never charge you fees for connecting a new end-point that needs a KMS.
  • We never limit the number of end-points based on the model of the KMS.
  • We never limit the number of encryption keys generated or stored on the KMS.
  • We never force you to pay extra fees for software patches.
  • We never force you to pay extra fees for routine software upgrades.
  • If you have a hardware HSM, we do not force you to re-purchase the KMS at end of life. Just replace the hardware and keep on keepin’ on!

Fortunately, the story about purchasing a car was completely made up. But the nightmare of KMS licensing is real. Just know that it doesn’t have to be that way. Take a look at our KMS offerings and see a new path forward.

Pinch yourself. And get ready for that dream trip.

We provide Alliance Key Manager as a hardware security module (HSM), as a VMware software appliance, and as a cloud instance (Azure, AWS) - All running the same key management software with the same interfaces and applications.

Patrick

eBook: Definitive Guide to Encryption Key Management

Topics: Alliance Key Manager

Case Study: Lockr

Posted by Luke Probasco on Aug 13, 2018 9:49:38 AM

LockrSecrets Management SaaS for CMS Systems Including Drupal and WordPress

 


With easy and flexible deployment options, Alliance Key Manager has allowed Lockr to offer affordable secrets management to Drupal and WordPress users.

- Chris Teitzel, Lockr CEO

 
Lockr

Lockr is dedicated to removing barriers to implementing sound security practices. By building, and making available, security solutions that are easy to deploy and affordable, Lockr fulfills its commitment to helping companies and organizations, of all sizes, protect the data of their customers, their partners, their employees and their daily operations. Lockr has made secrets management available to the Drupal content-management framework since 2015 and to the WordPress platform since 2016.

 

The Challenge: OEM, Compliant, Encryption Key Management

Case Study: LockrAs a company who protects private information for leading companies across all verticals, Lockr knew that the only way they could be confident in their Software as a Service (SaaS) offering was to back it with a FIPS 140-2 compliant encryption key management solution. FIPS compliance meant that the solution was based on industry standards and has undergone a stringent review of the encryption source code and development practices. Further, as a growing organization whose goal was to offer an affordable service, Lockr needed a relationship with a company that offered them a flexible OEM partnership.

“Often times, because of the cost and complexity of secrets management solutions, organizations struggle and cross their fingers they don’t experience a data breach. From the inception, Lockr’s mission has been to offer affordable and easy to use security so that even the smallest websites can have the same protection as large enterprises.”

The Solution

Alliance Key Manager in AWS

As a company that protects secrets (APIs, tokens, applications secrets, and encryption keys), Lockr offers their customers a service to better secure data without the costs associated with purchasing and managing dedicated servers. By partnering with Townsend Security, Lockr was able back their service with a proven solution that is in use by enterprises worldwide.

After choosing Amazon Web Services (AWS) as their cloud service provider (CSP), Lockr rapidly deployed Alliance Key Manager in AWS in regions all over the globe. “The combination of Alliance Key Manager and AWS allows Lockr to offer SLAs and support plans that the most demanding organizations require. Working with Alliance Key Manager in AWS is painless - we just launch an AMI and can instantly begin developing and testing. Even though our infrastructure is in AWS, our service is multi-cloud and multi-platform.”

Integration with CSP and Hosting Providers

Lockr provides secrets management to Drupal and WordPress environments hosted anywhere - Pantheon, Acquia, or even self-hosted. Businesses often turn to CSPs and hosting providers because they don’t want to manage another piece of infrastructure or have the expertise. Now they can improve security by turning to Lockr for secrets management as a service.

“While a hosting provider can ensure that their infrastructure is safe, it doesn’t extend to the applications that you run on top of it.” Because of this, providers are starting to refer Lockr to their customers, especially those in finance, healthcare and higher education industries. “When you look at reasons people chose to work with a hosting company, they are looking for people to do all the DevOps work - including security - that they don’t know how to do. Site developers know they need to be safe and Lockr, backed by Alliance Key Manager from Townsend Security, makes that happen.”

Better Securing eCommerce

When businesses deploy eCommerce solutions like Commerce Guys in Drupal or WooCommerce in WordPress to take themselves “out of the sensitive data realm” they are often surprised to learn they are collecting personally identifiable information (PII) such as email address, name, and zip code that they ARE responsible for protecting. Further, services like these use an API to connect to the CMS that needs to be protected. With Lockr’s architecture, it is easy for eCommerce providers to give their users comprehensive security, beyond a credit card transaction.

“The type of SMBs that deploy eCommerce services have a high need for security, but often a small budget. These companies make up a large portion of the web, but often enterprise security solutions are out of reach due to their technical capabilities and cost. They need to have a solution that scales with them.” By calling the APIs offered in Alliance Key Manager, Lockr is able to provide their users with the added security they require to prevent a data breach.

Case Study: Lockr

 

Topics: Case Study, Alliance Key Manager, Drupal, WordPress

Alliance Key Manager and Meltdown/Spectre

Posted by Robbn Miller on Jan 12, 2018 2:19:14 PM

The security vulnerabilities known as Meltdown and Spectre involving speculative execution logic in a variety of Intel and non-Intel architectures also affects the Townsend Security product Alliance Key Manager through the SUSE Linux operating system. Exploitation of this vulnerability is primarily accomplished through user access to the server environment. Alliance Key Manager does not provide user access to the server. Therefore, the risk of exploitation of this vulnerability is considered low. However, Townsend Security is providing a software update to address this issue.

If you wish to apply this update please contact Townsend Security support. 

A customer service representative will provide you with information on installing the update.

As has been widely noted, you may experience some performance degradation related to the resolution of the Meltdown/Spectre software fix. This will not affect most Alliance Key Manager customers. However, if you process a large number of keys (thousands or more) you may wish to apply the patch to a failover server first and test the performance. Townsend Security will assist you with any performance proof-of-concept if needed.

Please be advised that customers using Alliance Key Manager in virtualized environments (cloud, VMware, etc.) also run some risk related to any hypervisor that is subject to this vulnerability. Please contact your cloud service provider or virtualization software provider for more information.

 

Topics: Alliance Key Manager

Case Study: The Seed Company

Posted by Luke Probasco on Nov 6, 2017 10:32:47 AM

SeedCompany_Primary_Tag.pngSecuring Data in MongoDB Enterprise with Alliance Key Manager


“When choosing a key management solution, it needed to be 1) KMIP compliant and 2) affordable. Alliance Key Manager was both..”

- Jonathan Ganucheau, System Architect

 
The Seed Company

The Seed Company Case studyFounded in 1993 by Wycliffe Bible Translators Inc., Seed Company became one of the fastest growing Bible translation organizations by developing innovative ways to more rapidly, efficiently and accurately translate Scripture for groups who don’t have it in their language.

Over a billion people worldwide don’t have the full Bible in the language they know best. More than 1,600 languages don’t have any Scripture at all. Seed Company’s goal is zero languages without Scripture by 2025. In this generation, the Bible will become available to all for church planting, evangelism and discipleship efforts led by the local Church.

The Challenge: Protecting Private Data in MongoDB with Encryption & Key Management

As Seed Company began to outgrow its on-premise data center, it knew that in order to transition services into the cloud, the security team needed to assure business leaders and partners that their data in the cloud would be safe. To meet internal security requirements, not only did the solution need to be cloud based, but encryption needed to live in a secondary cloud provider. By taking a hybrid cloud approach and deploying a service in a secondary cloud provider, Seed Company could securely manage encryption keys and protect data stored in MongoDB Enterprise.

While compliance wasn’t a requirement, meeting security best practices to protect the contact data for partners in the field was. With identities of partners in violent, oppressive countries at stake, a breach could literally mean the difference between life and death.

The Solution

Alliance Key Manager

Seed Company’s adoption of the cloud was reliant on the ability to adequately protect private data. Alliance Key Manager was essential to their transition. “After two months of discovery, we looked at all of the cloud encryption key management vendors and compared everything from features to price,” said Jonathan Ganucheau, System Architect. “Alliance Key Manager met all of our criteria - with KMIP compliance and affordability leading our decision.”

“If someone was able to hack into our primary cloud platform and extract our backups, they still wouldn’t be able to get the actual data because the key manager is in a secondary cloud provider. This provides us with another level of hardening,” continued Ganucheau.

By deploying Alliance Key Manager, Seed Company was able to meet their organization’s needs to protect partner data in MongoDB in the cloud.

Integration with MongoDB Enterprise

“Having invested in MongoDB Enterprise with KMIP encryption, there was no need to buy competing encryption solutions, adding to the overall expense of the project,” said Ganucheau. With a low total cost of ownership, Alliance Key Manager customers can leverage the built-in encryption engine in MongoDB, with no limits imposed to the number of servers or data that can be protected.

“During discovery, one thing that came as a surprise to us was the number of vendors who claimed to support KMIP, but actually didn’t. They maybe started with KMIP compliance, but then deviated off course and no longer met our requirement of being a true KMIP service,” continued Ganucheau.

With no client software to install, Alliance Key Manager offers unparalleled security, flexibility, and affordability for all users of MongoDB Enterprise.

Reliability

One of the top concerns organizations have when encrypting data is losing access to encryption keys. Alliance Key Manager mirrors keys between multiple load-balanced servers over a secure and mutually authenticated TLS connection for hot backup and disaster recovery support. “Uptime is critical for our organization. Alliance Key Manager has remained up 100% over the past year, which is a big deal for our organization. Set it and forget it. It just works,” finished Ganucheau.

“Between your cost structure and reliability, Alliance Key Manager has earned my highest recommendation.”

The Seed Company Case Study

 

Topics: Case Study, Alliance Key Manager, MongoDB

Case Study: Plaza Premium Lounge

Posted by Luke Probasco on Jun 19, 2017 8:29:59 AM

PPL-Logo.pngMeeting PCI DSS with Townsend Security's Alliance Key Manager Hardware Security Module (HSM)


“Alliance Key Manager is simple, reliable, and easy to use - as a result, has allowed us to meet PCI DSS compliance and expand our market.”

- Sandeep Tewatia, IT Director

 
Plaza Premium Lounge

Plaza Premium Lounge Case Study

Plaza Premium Lounge is a global service brand headquartered in Hong Kong and is the industry-leader in premium airport services. Their goal is to make your airport experience seamless and effortless and, through their hearty services, change the perception of travel at the airport. The company operates in more than 140 locations in 35 airports across the globe and counts over 3,500 employees. The success of their business model has prompted airport authorities around the world to offer independent lounge facilities and value-added airport services as part of a bid to enhance the overall traveler experience.

 

The Challenge: Meet PCI DSS Compliance with Encryption Key Management

PCI DSS 3.0 requires businesses to, “Protect stored cardholder data.” The Requirement 3 summary names encryption, truncation, masking, and hashing as “critical components of cardholder data protection” and places strong emphasis on key management: “If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person.”

Storing encryption keys next to the data they protect is not considered a security best practice and won’t meet data security compliance requirements like PCI DSS.

Faced with designing a PCI DSS compliant environment to store and process credit cards, Plaza Premium Lounge understood the importance of deploying an encryption key manager and that it should be based on industry standards. The solution had to be FIPS 140-2 compliant, designed to scale with their business needs, and have easy integration with IT infrastructure.  Additionally, the chosen vendor needed to provide excellent developer and technical support.

 

The Solution

Alliance Key Manager HSM

“I looked at all of the encryption key management HSM vendors,” said Sandeep Tewatia, IT Director. “Not only is Alliance Key Manager available as a FIPS 140-2 compliant HSM, Townsend Security has the same technology available in the cloud - which is important as we scale.”  By deploying Alliance Key Manager HSM, Plaza Premium Lounge was able to meet their business needs with a FIPS 140-2 compliant solution that could not only deploy quickly, but was also easy to set up and configure.

Integration with IT Infrastructure

“Townsend Security’s integration with our existing IT infrastructure really set the company apart,” continued Tewatia. “Alliance Key Manager has helped us meet our business goals of meeting PCI DSS in record time.”

By combining Alliance Key Manager and Townsend Security’s client applications and SDKs, Plaza Premium Lounge experienced a seamless integration with their IT infrastrutucture. Alliance Key Manager includes an unlimited license to use the Key Connection for SQL Server software.

Meeting PCI DSS Compliance

By managing encryption keys separately from the encrypted data, meeting PCI DSS encryption key management requirements went from a long, difficult, developer project to an easy integration.

“Having a PCI compliant environment has allowed us to expand our market and Alliance Key Manager was essential to us meeting section 3 for protecting stored cardholder data,” finished Tewatia.

Plaz

 

Topics: Case Study, Alliance Key Manager

Case Study: Citizens Security Life Insurance

Posted by Luke Probasco on Mar 13, 2017 10:54:24 AM

CSLI-Logo.pngCompliance Made Easy - Protecting Private Information with Alliance AES/400 Encryption for IBM i and Alliance Key Manager for VMware


“Townsend Security was extremely easy to work with - from the sales process to deploying our proof of concept to post-sales support.”

- Adam Bell, Senior Director of IT

 
Citizens Security Life Insurance

MCitizens Security Life Insurance Company is a life and health insurance carrier. The company offers group benefits including dental and vision coverage, and individual ancillary insurance products. The company was founded in 1965 and is headquartered in Louisville, Kentucky.

The Challenge: Protect ePHI & PII on the IBM i

In order to meet growing partner requirements and pass a data security audit for protecting electronic Protected Health Information (ePHI) and Personally Identifiable Information (PII), Citizens Security Life Insurance (CSLI) needed to deploy an encryption solution on the IBM i. The solution needed to be easy to implement with excellent performance.

While FIELDPROC on the IBM i makes it very easy to encrypt data without application changes, CSLI also understood that for encrypted data to truly be secure, they would need to store and manage encryption keys with an external key manager.

By using a VMware-based encryption key manager, the company could meet encryption and key management best practices for separating encryption keys from the data they protect.

The Solutions

Alliance AES/400 Encryption

“The performance we are seeing with Alliance AES/400 encryption is excellent,” said Adam Bell, Senior Director of IT, Citizens Security Life Insurance. “The solution was easy to integrate and completely met our expectations.”

Alliance AES/400 FIELDPROC encryption is NIST-compliant and optimized for performance. The solution is up to 100x faster than equivalent IBM APIs on the IBM i platform.

With Alliance AES/400, businesses can encrypt and decrypt fields that store data such as credit card numbers, social security numbers, account numbers, ePHI, and other PII instantly without application changes.

Alliance Key Manager for VMware

Alliance Key Manager for VMWare was very easy to implement and the resources Townsend Security provided made deployment a smooth process,” continued Bell. By deploying Alliance Key Manager for VMware, CSLI was able to meet their business needs with a solution that could not only deploy quickly, but was also easy to set up and configure.

Alliance Key Manager for VMware leverages the same FIPS 140-2 compliant technology found in Townsend Security’s hardware security module (HSM) and in use by over 3,000 customers. The solution brings a proven and mature encryption key management solution to VMware environments, with a lower total cost of ownership. Additionally, the key manager has been validated to meet PCI DSS in VMware environments.

Integration with the IBM i Platform

An encryption strategy is only as good as the key management strategy, and it can be difficult to get key management right. For companies doing encryption, the most common cause of an audit failure is an improper implementation of key management. The seamless integration between Alliance AES/400 and the external Alliance Key Manager for VMware allowed CSLI to pass their data security audit with flying colors.

“The relationship we developed with Townsend Security enabled us to have a painless sales and support process, and in turn, enabled us to easily pass our data security audit,” finished Bell.

Meeting HIPAA and protecting ePHI with encryption and key management.

 

Topics: Case Study, Alliance AES/400, Alliance Key Manager

How Do I Find and Start Alliance Key Manager for Encryption Key Management in AWS?

Posted by Patrick Townsend on Sep 6, 2016 10:52:19 AM

For Amazon Web Services (AWS) users, encryption and key management has never been easier.  Townsend Security's Alliance Key Manager uses the same FIPS 140-2 compliant key management technology found in the company's HSM and in use by over 3,000 customers worldwide. In the AWS Marketplace, there are two entries for Alliance Key Manager – one is for the fee-based implementation and one is for the Bring Your Own License (BYOL) implementation. Both are identical in their key management functionality. If you only need one or two instances of Alliance Key Manager you can use the fee-based entry in the marketplace. If you are going to use more than a couple of instances of the key manager you may want to use the Bring Your Own License entry to launch the key manager. There are discounts available for multiple instances of Alliance Key Manager and the BYOL version may be less expensive.

How to Meet Best Practices for Protecting Information in AWS by Stephen WynkoopIf you are logged into your AWS account you can directly launch Alliance Key Manager from the marketplace. Both licensing models support a free 30-day license to use the key manager. 

Before launching, you should determine if you want to run the key manager in the public AWS cloud, or if you want to run the key manager in a virtual private cloud (VPC).  The AWS virtual private cloud platform provides more isolation from other cloud customers and therefore a bit more security, if that is desired.

As you launch Alliance Key Manager in the AWS cloud you will need to select a region in which to run the key manager. Alliance Key Manager supports all of the AWS regions and you can run it anywhere. Your choice of regions may reflect your estimate of where you will have the greatest demand, or where you want critical key material to reside.

Once your AWS instance of Alliance Key Manager has been launched you can open an SSH session to the key manager to perform initial set up. You will change your password, create a set of server and client PKI certificates, indicate whether this instance of the key server is a primary or secondary mirror server, and create some initial unique encryption keys. After answering these questions you will have a fully functional, dedicated EC2 instance of Alliance Key Manager ready to use.

Alliance Key Manager comes with a full suite of software development kits (SDKs) and documentation, but the marketplace is limited to three documents. After you launch your AWS instance of the key manager please contact Townsend Security to register and get access to the AKM Supplemental documentation.  Unless you register at the Townsend Security web site it will not be possible to contact you and send you the documentation. There is no charge for access to the documentation.

The AWS license comes with customer support at the Basic level. This provides technical support and software updates via email during business hours. A Premium Support options is available that provides telephone and web support and includes 24/7/365 support for business interruption issues. Please visit the Townsend Security web site for more information about the Premium Support option and to register your instance of Alliance Key Manager for AWS.

At Townsend Security we want to provide you with a positive experience with our key management products and provide you the support you deserve. When you run our Alliance Key Manager in AWS we won’t know who you are because Amazon does not report that information. By registering at the Townsend Security web site you get access to documentation, SDKs and free support. And we can keep you up to date on the latest security patches and enhancements!

You can find more information about Alliance Key Manager in AWS here.

How to Meet Best Practices for Protecting Information in AWS by Stephen Wynkoop

 

Topics: Alliance Key Manager, Amazon Web Services (AWS)

How Do I Encrypt Data and Manage Encryption Keys Using Java in Amazon Web Services (AWS)?

Posted by Patrick Townsend on Aug 22, 2016 10:51:12 AM

If you are a Java developer you probably know that the Java language has full native support for AES encryption. You don’t need any third-party SDKs or add-ins to Java to use industry-standard, strong encryption. The standard Java APIs are based on industry standards and are very efficient. Don’t hesitate to use that built-in facility. You include it in your Java application like this:

import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;

Protecting Best Practices for Protecting Information in AWSEncryption key management is another story. To implement good encryption key management you will need to turn to an enterprise key management solution and their Java library to make this happen. Our Alliance Key Manager for AWS solution provides a Java SDK to help you with encryption key use. The Alliance Key Manager Java SDK lets you easily retrieve an encryption key for use in your application, or alternatively to send data to Alliance Key Manager on a secure connection where the encryption or decryption task can be performed directly on the key server. This encryption service is helpful in situations where you don’t want to expose the encryption key in your application or server environment.

Many developers use the Java Keystore (JKS/JCEKS) facility for storing encryption keys. The Java key store is more a key storage facility rather than a key management facility and rarely meets compliance regulations for separating keys from the data they protect, providing for separation of duties, and dual control. If you are currently storing encryption keys in a JKS repository you may want to consider moving them to true key management solution like Alliance Key Manager.

One of the advantages of the Alliance Key Manager SDK is the built-in high availability failover facility. By using the Alliance Key Manager SDK in the event of a network or other failure you automatically fail over to a secondary HA key server in real-time. This means your application keeps running even though a network or system error prevents access to the primary key server.

The Java SDK for Alliance Key Manager includes all of the support needed to make a secure connection to the key server, retrieve an encryption key, access the encryption and decryption services on Alliance Key Manager, and perform other common functions. By using the SDK the Java developer can avoid writing all of the code needed to perform these tasks – the work needed to retrieve an encryption key is reduced to a few lines of code.  We think this is a big bonus for the Java developer and helps make their lives easier. And sample source code will really speed along the process.

Here is an extract of the sample source code showing the retrieval of an encryption key from Alliance Key Manager, an encryption of some plaintext, and the decryption of that ciphertext:

// Note: Full sample source available (this is just an extract)

import javax.crypto.Cipher;

import javax.crypto.spec.IvParameterSpec;

import javax.crypto.spec.SecretKeySpec;


import com.townsendsecurity.akmcore.AkmException;

import com.townsendsecurity.akmcore.AkmUtil;

import com.townsendsecurity.akmcore.AkmRequest;


import com.townsendsecurity.akmkeys.AkmKeyRequest;

import com.townsendsecurity.akmkeys.AkmSymKey;


// The AKM configuration file

String sCfgFile = "/path/jakmcfg.xml"


// Create a key request object initialized from the configuration file

AkmKeyRequest keyRQ = null;

keyRQ = AkmKeyRequest.getInstance(sCfgFile);


// Define the key instance (version) name

String sInstance = "some-name"


// Retrieve the encryption key from Alliance Key Manager

AkmSymKey symkey = null;

symkey = keyRQ.retrieveSymKey(sKey, sInstance);


// Create a context

EncryptDecryptCBC cryptor = new EncryptDecryptCBC(symkey.getKeyBytes());


// Let’s encrypt some plaintext

byte[] ciphertext = null;

ciphertext = cryptor.encryptSymmetric(plaintext.getBytes());


// Let’s decrypt the ciphertext

byte[] plainbuf = null;

plainbuf = cryptor.decryptSymmetric(ciphertext);

There is no charge for the Java SDK and all Alliance Key Manager customers have access to the Java SDK and sample code. AWS customers must register on the Townsend Security web site to get access to the Java code. You can do that here.

Meeting Best Practices for Protecting Information in AWS

Topics: Enryption, Amazon Web Services (AWS), Encryption Key Management, Alliance Key Manager

 

 

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all