gosphotodesign - Fotolia

AES-128 encryption key generation: Leave it to AWS or do it in-house?

Organizations can opt to allow Amazon Elastic Transcoder to generate AES-128 encryption keys or do the job in-house -- which is more secure? Expert Dan Sullivan explains.

When using Amazon Elastic Transcoder for AES-128 encryption on HTTP Live Streaming content, data keys can be created by us, or generated by Elastic Transcoder. What are the security implications of each offer, and which option would be best in an enterprise?

This question is an instance of the broader issue of how to manage encryptions keys. Let's start with some definitions:

Amazon Elastic Transcoder is a service for transforming media content from one format to another. It is used to map media files into a format appropriate for a particular device, such as a mobile phone.

HTTP Live Streaming or HLS is a protocol for optimizing media playback. HLS sends segments of media files from servers to devices as needed to render content.

As with any other message or content sent over the network, there are reasons to encrypt HLS data. Amazon Elastic Transcoder services support AES-128 encryption; that is, segments of media are encrypted before leaving the server and decrypted by the client device. The server will need access to the encryption key and the client will need access to the decryption key. Amazon Elastic Transcoder handles both of those requirements.

That leaves one question, where do these keys come from? Amazon gives you a choice: You can use the key generation features of Amazon Transcoder service or you can generate your own.

If you have an existing private key infrastructure that is centrally managed, it makes sense to use that to generate keys. Managing keys is not a trivial task, but you can take advantage of the fact that you have policies and procedures in place to manage and govern key generation. This is especially the case if you have other applications that make use of the centralized key management service. By using the same key management system for multiple applications, you may be able to streamline and reduce management overhead. For example, when auditing your key management practices, you would only have to reference the centralized key management service instead of multiple, application specific key management services.

If you do not have a private key infrastructure in place, it may be simpler to use Amazon Transcoder's encryption service and manage the keys as part of the media management process. If you want more control over key management, consider using AWS Key Management Services. This service is designed to support key management for both cloud-based and on-premises encryption.

Ask the Expert:
Have a question about cloud security? Send it via email today. (All questions are anonymous.)

Next Steps

Learn more about the security benefits of AWS Key Management Services

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices