Can someone help me understand this recommendation:
Under symmetric encryption, the authors write:
> If you are in a position to use a key management system (KMS), then you should use KMS. If you are not in a position to use KMS, then you should use authenticated encryption with associated data (AEAD).
These seem orthogonal to me. KMS := how keys are generated and distributed to communication partners. AEAD := how data is encrypted between communication partners using those keys.
How can it be “use a KMS if you can _or else_ use AEAD”? Shouldn’t it be “and”? What am I missing?
I think this was copied from Latacora’s cryptographic right answers without some of the necessary context. It’s specifically talking about the KMS offerings from AWS/Google Cloud, which provide trusted hardware implementations of not just key management, but also symmetric/asymmetric encryption, HMAC, etc. All the symmetric constructions provided by these platforms are AEADs, so the point is, if you’re using AWS’s KMS, don’t think about it, just use the default. Which is fairly sensible advice.
Depends these days KMS also extends to solutions that provide full on encryption as a service such as Vault. If your design allows for a trusted and well vetted EAAS solution to be used that should be the first you go for.
Under symmetric encryption, the authors write:
> If you are in a position to use a key management system (KMS), then you should use KMS. If you are not in a position to use KMS, then you should use authenticated encryption with associated data (AEAD).
These seem orthogonal to me. KMS := how keys are generated and distributed to communication partners. AEAD := how data is encrypted between communication partners using those keys.
How can it be “use a KMS if you can _or else_ use AEAD”? Shouldn’t it be “and”? What am I missing?