undefobj
commented
5 years ago Hi @jkeys-ecg-nmsu we are looking at encryption of the storage category in the future, however KMS is not in scope for this as key management is a very large problem space and doing this reliably with rotation might not be scalable, reliable, or even cost effective for apps. KMS is also primarily targeted at backend key management where the behavior compared to mobile and web devices is much different. The common way of doing this in the industry for apps is with developer provided keys locally on the device. From a compliance standpoint, many of them require full device encryption anyway or for the whole of the app rather than just part of it. If you have any specific compliance documentation and case for storing such data permanently on the device where you cannot use developer provided keys, can you please point us at such material?
jkeys-ecg-nmsu
stale[bot]
sbaxter
FrankySnow
de1mat
rpostulart
TorrentofShame
Is your feature request related to a problem? Please describe. Electronic Caregiver is a healthcare and security company, so we deal with multiple compliance regimes: HIPAA, PCI, etc. If we intend to keep any e.g. PHI on the client for fast lookup, we need a way to keep it encrypted without storing permanent keys on the client.
Describe the solution you'd like I'd like Amplify to (optionally) seamlessly encrypt and decrypt any and/or all data in localStorage by way of external calls to KMS. I'd also like Amplify to handle the same for arbitrary local files, so we can easily store sensitive data locally and attach that data to the client.
I'm not a security expert, so I'm not sure how this could be achieved without defeating the point (which seems to be easier to do than actually designing a secure client-side encryption scheme). I'm hoping someone smarter than me can fill in the gaping holes in my FR.