< ciso
brief />
Tag Banner

All news with #encryption at rest tag

42 articles

Preparing for quantum-era threats to current encryption

πŸ”’ The article explains the growing reality of β€œharvest now, decrypt later” attacks, where adversaries steal encrypted data today to decrypt later with quantum computers. It summarizes industry and government perspectives, noting that most organizations underprioritize the risk despite emerging standards like NIST’s 2024 post-quantum algorithms and EU transition roadmaps. The piece reviews mitigation options β€” PQC, QKD, and the need for cryptoagility β€” and highlights examples from Spain and financial institutions planning phased transitions.
read more β†’

UK filtering plan raises encryption and security concerns

πŸ”’ UK Prime Minister Keir Starmer urged tech firms to implement device controls to block children from viewing or creating sexually explicit imagery, prompting CISOs to warn the plan could undermine enterprise encryption. Starmer gave companies three months to propose voluntary measures before pushing legislation; analysts caution on-device scanning is unlikely at scale and cloud processing would introduce new risks. Experts highlight logistical, performance, age-verification, and abuse risks that could create exploitable inspection vectors.
read more β†’

Amazon Quick Research adds customer-managed KMS keys

πŸ”’ Amazon Quick Research now supports encryption using customer-managed keys (CMKs) via AWS Key Management Service, enabling organizations to control encryption, auditing, and key lifecycle. Customers can use multiple CMKs with one default key per AWS account per region and must create CMKs in the same account and region as Quick resources. Only symmetric KMS keys are supported, and CloudTrail integration provides comprehensive audit trails and the ability to revoke compromised keys within 15 minutes. The feature is generally available in all AWS Regions where Amazon Quick is offered.
read more β†’

Amazon Quick Research adds customer-managed KMS keys

πŸ” Amazon Quick Research now supports customer-managed keys (CMKs) via AWS Key Management Service (KMS), enabling organizations to manage encryption keys for their Quick data. Customer-managed keys provide enhanced control, CloudTrail-based auditing, and the ability to revoke compromised keys within 15 minutes. Only symmetric KMS keys created in the same account and region are supported, with one default CMK per account per region and support for multiple CMKs across datasets.
read more β†’

Microsoft Weighs Patch for YellowKey BitLocker Flaw

πŸ”’ Microsoft is evaluating a patch for a newly disclosed zero-day, YellowKey, which can bypass BitLocker encryption and allow local attackers to read and modify files. The company issued an advisory for CVE-2026-45585 and provided immediate mitigation guidance while a fix is considered. Organizations are urged to limit physical access to vulnerable devices, audit their environments, and strengthen Secure Boot and firmware integrity controls.
read more β†’

AWS Advanced JDBC Wrapper Adds KMS Column Encryption

πŸ”’ The AWS Advanced JDBC Wrapper now includes a KMS Encryption plugin that provides column-level client-side encryption for Java applications. Operating at the JDBC driver, the plugin encrypts values before they reach the database and decrypts on read, keeping plaintext visible only to the application while allowing HMAC-based integrity checks. It integrates with Aurora and RDS (PostgreSQL and MySQL-compatible), Spring, Hibernate, and common connection pools without code changes, and is available as open-source under the Apache 2.0 license.
read more β†’

Amazon OpenSearch Adds Index-Level Encryption with KMS

πŸ”’ Amazon OpenSearch Service now supports index-level encryption using AWS Key Management Service (KMS) customer managed keys. This allows you to assign different customer managed keys to individual indexes on the same domain, enabling more granular, tenant-specific encryption policies and isolating encrypted data across indexes. The capability builds on existing domain-level encryption and is available at no additional cost for domains running OpenSearch 3.3 or later in select AWS Regions.
read more β†’

Amazon S3: New Default Disables SSE-C for Buckets Globally

πŸ” Amazon S3 is rolling out a new default bucket security setting that will automatically disable server-side encryption with customer-provided keys (SSE-C) for all new general purpose buckets. For existing buckets in accounts without any SSE-C-encrypted objects, S3 will also block SSE-C for new write requests. AWS will not change buckets in accounts that already use SSE-C. The rollout covers 37 regions, including AWS China and GovCloud, over the next few weeks.
read more β†’

Amazon RDS for Oracle Now Available on AWS Outposts

🏒 Amazon RDS for Oracle is now available on AWS Outposts, enabling customers to run a managed Oracle database service on-premises with the same operational model used in AWS Regions. The offering supports Oracle Database 19c and 21c under a BYOL model and includes automated backups, automated patching, point-in-time recovery, CloudWatch monitoring, and encryption at rest with AWS KMS. It also supports multi-AZ deployments across Outposts racks for high availability and provides options for disaster recovery to the parent AWS Region or across Outposts.
read more β†’

Amazon ECS Managed Instances Add FIPS for Graviton/GPU

πŸ”’ Amazon now supports FIPS-compliant operation for Amazon ECS Managed Instances running Graviton-based and GPU-accelerated workloads in the AWS GovCloud (US) Regions. ECS Managed Instances in GovCloud enable FIPS by default, use FIPS-compliant endpoints and validated cryptographic modules, and boot kernels in FIPS mode. Customers can enable the feature via the Console, ECS MCP Server, ECS Express Mode, or infrastructure-as-code; management charges apply in addition to EC2 costs.
read more β†’

HP launches TPM Guard to block physical TPM attacks

πŸ”’ HP announced TPM Guard, a hardware-plus-firmware solution introduced at its Imagine event, which creates an authenticated, encrypted tunnel between the TPM and the CPU to protect keys in transit. The design cryptographically binds the TPM to the host processor so the chip stops functioning if removed. HP says the feature thwarts low-cost physical attacks that can intercept TPM communications and will be available via firmware update on selected G2 commercial PCs starting in July, with broader integration in future models.
read more β†’

Amazon Redshift: Federated Permissions via IAM IdC

πŸ” Amazon Redshift now supports federated permissions with AWS IAM Identity Center (IdC) across multiple AWS Regions, letting you extend IdC from a primary Region to additional Regions for improved proximity-based performance and resilience. In those Regions you can create Redshift and Lake Formation Identity Center applications without replicating identities, so existing workforce identities can query warehouses while row-, column-level and masking controls continue to apply automatically. Users benefit from single sign-on access via Amazon QuickSight, the Redshift Query Editor, or third-party SQL tools, simplifying access and compliance across regions.
read more β†’

Amazon Managed Grafana Adds Customer-Managed KMS Keys

πŸ” Amazon Managed Grafana now supports customer-managed keys (CMKs) through AWS Key Management Service (KMS), enabling you to encrypt workspace data with keys you control. Previously, Amazon Managed Grafana used AWS-owned keys by default; this option lets organizations add a self-managed encryption layer to meet compliance and regulatory requirements. The feature is available in all generally available regions except AWS GovCloud (US) Regions.
read more β†’

Amazon Aurora enables default server-side encryption

πŸ”’ Amazon Aurora now automatically applies server-side encryption by default to all new database clusters created without custom encryption settings, using AWS-owned keys. This fully managed encryption is transparent to users and incurs no cost or performance impact. Existing clusters are unaffected; you can still select customer-managed or AWS-managed KMS keys during creation. Available in all AWS Regions including GovCloud.
read more β†’

Preparing for the Quantum Era: A Call to Secure PQC

πŸ” Google issues a call to action to protect digital systems against quantum threats, outlining its post-quantum cryptography (PQC) work and policy recommendations. The company warns that large-scale quantum computers could break current public-key cryptography and cautions about 'store now, decrypt later' harvesting of encrypted data. Google commits to research transparency, completing PQC migrations within NIST guidelines, and strengthening crypto agility, critical shared infrastructure, and ecosystem readiness.
read more β†’

Microsoft Provides BitLocker Keys to FBI Under Orders

πŸ” Microsoft has the technical ability to release BitLocker recovery keys to the FBI when presented with appropriate court orders, a capability reportedly exercised roughly twenty times per year. While users can keep recovery keys only on their own devices, Microsoft advises storing them on its servers for convenience. That cloud backup simplifies recovery after lost credentials or device lockouts but also makes keys accessible to law enforcement through subpoenas or warrants.
read more β†’

Google Cloud Single-tenant Cloud HSM Now Generally Available

πŸ” Single-tenant Cloud HSM is now generally available in the U.S. and EU, offering dedicated, hardware-enforced key isolation for regulated workloads. It provides FIPS 140-2 Level 3 validated Marvell LiquidSecurity HSMs, quorum-based administration, and the ability to revoke Google access to make keys unavailable. Google manages provisioning and high availability while customers retain root key control and can provision clusters in minutes using gcloud.
read more β†’

Update Server-Side Encryption Type for Amazon S3 Objects

πŸ”’ You can now change the server-side encryption type of encrypted objects in Amazon S3 without moving data. Use the UpdateObjectEncryption API to atomically change encryption keys across any object size or storage class, and run it at scale with S3 Batch Operations to standardize entire buckets while preserving object properties and Lifecycle eligibility. The capability supports migrating from SSE-S3 to SSE-KMS, swapping customer-managed KMS keys, and enabling S3 Bucket Keys to reduce KMS requests. The API is available in all AWS Regions via the AWS Management Console and SDKs.
read more β†’

Microsoft Handed BitLocker Keys to US Law Enforcement

πŸ” Microsoft complied with a US search warrant in early 2025 and provided BitLocker recovery keys stored on its servers to investigators probing alleged COVID unemployment fraud in Guam. Because many Windows installations back up recovery keys by default to Microsoft cloud services, those keys were retrievable when legally compelled. Experts stress this is a custody and governance issue rather than a cryptographic failure of BitLocker, and recommend restricting default cloud backups, enforcing strict admin controls, and redirecting keys to on‑premises or enterprise key vaults where possible.
read more β†’

EMR Serverless Supports AWS KMS Customer-Managed Keys

πŸ”’ Amazon EMR Serverless now supports encrypting local disks with AWS KMS customer managed keys (CMKs), enabling customers to adopt CMKs instead of default AWS-owned keys for greater encryption control. You can use CMKs from the same account or from another account and apply them at the application level or per job run and interactive session. This capability is supported on new and existing EMR Serverless applications across all supported EMR release versions and is available in all Regions, including AWS GovCloud (US) and China.
read more β†’