We encrypt traffic between instances in the same VPC, or if their VPCs are peered in the same region. We encrypt the entire customer packet, nothing is visible. We also encrypt our own network virtualization header.
-
-
Incidentally "Lever" is named for https://en.wikipedia.org/wiki/Mavis_Batey …pic.twitter.com/4AxSWVa9h5
Show this thread -
Lever encryption and VPC Encryption or Inter-Region Peering often happen at the same time, e.g. packets crossing between AZs or regions. That's two layers of no-configuration required pervasive cryptography.
Show this thread -
h/t to my colleague and Lever lead David Sinn for all that info!
Show this thread -
Now, none of this means that you should not use TLS or other encryption protocols in your own applications. Network Encryption is awesome, but does not provide anti-replay, or application-to-application authentication. These new protocols are designed to fill gaps.pic.twitter.com/uP9NXXz9sj
Show this thread -
Of course it's great too to have a built-in mechanism to protect legacy traffic that is not encrypted at all.
Show this thread -
These are first features I've ever worked on where is no API, nothing for you to do. This is all under the hood. There is no change to your experience running on AWS. Customers never see the encrypted traffic, we do the encryption and decryption for you.
Show this thread -
All of the encryption and decryption happens in hardware; and for VPC Encryption, it's custom silicon designed and built by Annapurna labs as part of our Nitro security system. That means we can all of this with no impact on performance. We've been in production for months!
Show this thread -
O.k. there you have it. VPC Encryption, Lever Link Encryption, Multi-Party key distribution, AES-256, no API or settings, just "on". AMA.
Show this thread
End of conversation
New conversation -
-
-
Some of us love boring cryptography. New key agreement protocols should be peer-reviewed, shouldn’t they? Moreover if I've understood well and it provides some form of PQ resistance (AES-256 can resist but you need to agree using some public key cryptography
-
It's nothing exciting, just using shared symmetric PSKs as an additional layer. Those mechanisms are peer reviewed, but new in this context. Might be a good topic for
@RealWorldCrypto!
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.