Key Management Systems


Introduction

Key management is the foundation of cryptographic security. Poor key management — hardcoded keys, weak rotation schedules, inadequate access controls — undermines even the strongest encryption algorithms. Modern key management systems (KMS) provide centralized, auditable key lifecycle management.

Cloud KMS: AWS KMS vs GCP Cloud KMS

AWS Key Management Service

AWS KMS is a managed service for creating and controlling encryption keys. It integrates with most AWS services and provides FIPS 140-2 validated HSM-backed key storage.




# Create a symmetric KMS key


aws kms create-key \


--description "Production data encryption key" \


--key-usage ENCRYPT_DECRYPT \


--origin AWS_KMS \


--tags TagKey=Environment,TagValue=Production




# Create an alias


aws kms create-alias \


--alias-name alias/production-key \


--target-key-id




# Encrypt data


aws kms encrypt \


--key-id alias/production-key \


--plaintext fileb://secret.txt \


--output text \


--query CiphertextBlob | base64 --decode > secret.encrypted




# Decrypt data


aws kms decrypt \


--ciphertext-blob fileb://secret.encrypted \


--output text \


--query Plaintext | base64 --decode








{


"Version": "2012-10-17",


"Statement": [


{


"Effect": "Allow",


"Action": [


"kms:Encrypt",


"kms:Decrypt"


],


"Resource": "arn:aws:kms:us-east-1:123456789012:key/*",


"Condition": {


"Bool": {


"kms:ViaService": "s3.us-east-1.amazonaws.com"


}


}


}


]


}





GCP Cloud KMS

GCP Cloud KMS offers similar functionality with an emphasis on hierarchical key management and integration with Cloud HSM.




# Create a keyring


gcloud kms keyrings create production-keyring \


--location global




# Create a symmetric key


gcloud kms keys create production-key \


--keyring production-keyring \


--location global \


--purpose encryption \


--rotation-period 90d \


--next-rotation-time "2026-08-10T00:00:00Z"




# Encrypt with CMEK


echo -n "sensitive-data" | gcloud kms encrypt \


--plaintext-file=- \


--ciphertext-file=- \


--location global \


--keyring production-keyring \


--key production-key \


| base64




# Decrypt


echo -n "encrypted-data" | base64 --decode | gcloud kms decrypt \


--ciphertext-file=- \


--plaintext-file=- \


--location global \


--keyring production-keyring \


--key production-key





Envelope Encryption

Envelope encryption encrypts data with a data key (DEK), then encrypts the DEK with a key encryption key (KEK) stored in KMS. This enables local encryption while delegating key management to KMS.




import boto3


from cryptography.fernet import Fernet


import base64




kms = boto3.client('kms')




def envelope_encrypt(plaintext, kms_key_id):


# Generate a data key from KMS


response = kms.generate_data_key(


KeyId=kms_key_id,


KeySpec='AES_256'


)


plaintext_data_key = response['Plaintext']


encrypted_data_key = response['CiphertextBlob']




# Encrypt data locally with Fernet


fernet = Fernet(base64.urlsafe_b64encode(plaintext_data_key))


encrypted_data = fernet.encrypt(plaintext.encode())




return {


'encrypted_data': encrypted_data,


'encrypted_data_key': encrypted_data_key,


}




def envelope_decrypt(encrypted_payload):


# Decrypt the data key via KMS


response = kms.decrypt(


CiphertextBlob=encrypted_payload['encrypted_data_key']


)


plaintext_data_key = response['Plaintext']




# Decrypt data locally


fernet = Fernet(base64.urlsafe_b64encode(plaintext_data_key))


return fernet.decrypt(encrypted_payload['encrypted_data']).decode()





Hardware Security Modules (HSM)

HSMs provide tamper-resistant hardware for key generation, storage, and cryptographic operations. Cloud HSMs (AWS CloudHSM, GCP Cloud HSM) offer dedicated HSM instances.




# AWS CloudHSM: list keys via PKCS#11 library


pkcs11-tool --module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so \


--slot 0 --login --list-objects --pin :




# Generate key on HSM


pkcs11-tool --module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so \


--slot 0 --login --pin : \


--keygen --key-type AES:256 --label "production-encryption-key" \


--id 1234





Key Rotation

Automatic key rotation reduces the impact of key compromise. Both AWS KMS and GCP KMS support automatic rotation.




# Automated key rotation script


def rotate_kms_key(key_id):


# Create new key


client = boto3.client('kms')


new_key = client.create_key(


Description=f'Rotated key for {key_id} - {datetime.now()}',


KeyUsage='ENCRYPT_DECRYPT',


Origin='AWS_KMS'


)


new_key_id = new_key['KeyMetadata']['KeyId']




# Alias update to point to new key


client.update_alias(


AliasName=f'alias/production-key',


TargetKeyId=new_key_id


)




# Schedule old key deletion (after grace period)


client.schedule_key_deletion(


KeyId=key_id,


PendingWindowInDays=7


)




# Re-encrypt data with new key


# Applications using the alias will automatically use the new key


logger.info(f'Key rotated: {key_id} -> {new_key_id}')





Conclusion

Effective key management requires centralized control, hardware-backed security, automatic rotation, and strict access policies. Envelope encryption balances security and performance by combining KMS-managed key encryption keys with locally-generated data keys. AWS KMS and GCP Cloud KMS both provide robust solutions — choose based on your cloud provider ecosystem and compliance requirements.