All news with #key management tag

🔽 AWS reduced AWS Payment Cryptography API request prices by up to 63% and introduced a fourth pricing tier to better accommodate high-volume workloads. The update also moves key billing from a flat-rate model to tiered key pricing and unifies pricing across all Regions. Changes are effective December 15, 2025 and are applied automatically to all customers. The managed service supports PCI-aligned cryptographic operations, helping organizations reduce reliance on dedicated payment HSMs and scale key management and payment processing more cost-effectively.

⚠️ Siemens has released a security advisory for SINEMA Remote Connect Server, affecting all versions prior to V3.2 SP4. Two vulnerabilities allow authenticated users with local or network access to read private TLS keys (incorrect permission assignment) and to bypass license enforcement via direct database modification (incorrect authorization). CISA lists CVE-2025-40818 (CVSS 3.3) and CVE-2025-40819 (CVSS 4.3). Apply the vendor update to V3.2 SP4 or later and follow recommended network-hardening measures.

🔐 The International Association of Cryptologic Research (IACR) nullified its 2025 online election after trustee Moti Yung irretrievably lost his private decryption key. The election used the Helios voting system with a strict 3-of-3 trustee decryption scheme, so the missing key meant the system could not compute the final decryption shares or verify the outcome. The loss was an honest human error; the IACR will rerun the vote under a 2-of-3 threshold to permit recovery, and the incident was reported by outlets including Ars Technica and The New York Times.

🔐 AWS Payment Cryptography is now available in Canada (Montreal), Africa (Cape Town) and Europe (London). The fully managed service centralizes payment-specific cryptographic operations and key management for cloud-hosted payment applications and scales elastically to meet changing workloads. It is assessed as compliant with PCI PIN and PCI P2PE, reducing the need for dedicated payment HSMs. Customers can position cryptographic operations closer to latency-sensitive applications and pursue multi-Region high availability.

🔒 The article argues that data sovereignty commitments like Project Texas must be supported by auditable, technical evidence rather than marketing promises. It prescribes five concrete, testable controls — brokered zero‑trust access, in‑region HSM keys, immutable WORM logs, continuous validation, and third‑party attestation — plus measurable metrics to prove compliance. A 90‑day blueprint and emerging AI automation are offered to operationalize verification and produce regulator‑ready, reproducible evidence.

🔒 The FinWise data breach involved a former employee who retained credentials and accessed systems on May 31, 2024, exposing personal records for 689,000 American First Finance customers. The intrusion remained undetected until June 18, 2025, prompting lawsuits alleging inadequate encryption and weak security governance. Experts say robust protection requires not only encryption but effective key management, strict access controls, and proactive monitoring. Vendor solutions such as D.AMO are presented as integrated platforms combining encryption, an isolated KMS, and centralized control to mitigate insider risk.

🔐 Amazon RDS for SQL Server now supports encrypting native backup files (.bak) stored in Amazon S3 using server-side encryption with AWS KMS keys (SSE-KMS). By default, native backups remain encrypted with Amazon S3-managed keys (SSE-S3), and customers can opt to apply their own KMS key for additional protection and key control. To enable the feature, update the KMS key policy to grant the RDS backup service access and specify the parameter @enable_bucket_default_encryption in the native backup stored procedure. This capability is available in all AWS Regions where Amazon RDS for SQL Server is offered.

🔐 AWS now supports customer-managed AWS Key Management Service (KMS) keys for Amazon Bedrock Guardrails Automated Reasoning checks. Customers can encrypt policy content and test artifacts with their own keys instead of the default key, retaining control over lifecycle and access. This capability helps regulated organizations meet compliance requirements and is available in all Bedrock Guardrails regions. Refer to AWS documentation and the Bedrock console to get started.

🔐 Google Cloud Key Management Service (Cloud KMS) now offers preview support for post-quantum Key Encapsulation Mechanisms (KEMs), enabling customers to begin migrating to quantum-resistant key exchange. Cloud KMS supports ML-KEM-768, ML-KEM-1024, and the hybrid X-Wing (X25519+ML-KEM-768) option. The preview aims to mitigate "Harvest Now, Decrypt Later" risks and provide HPKE-compatible integrations via Tink and BoringCrypto. Developers are advised to adopt hybrid deployments and plan for larger key and ciphertext sizes that affect bandwidth and storage.

🔐 IAM Identity Center now supports customer-managed AWS KMS keys to encrypt workforce identity data, including user and group attributes. While AWS-owned keys remain the default, a customer-managed key (CMK) lets organizations control key lifecycle, policies, and usage permissions for stronger security and compliance. CMKs can be set when enabling a new organization instance or added to existing ones, and their usage is auditable via AWS CloudTrail. Support is available for access to accounts and select AWS applications across all IAM Identity Center regions; standard KMS charges apply.

🔐 Amazon EventBridge now supports AWS KMS customer managed keys for event bus rule filter patterns and input transformers. This lets you encrypt the logic that selects and modifies events with your own keys to meet security and compliance requirements while retaining full key control. The feature is available in all commercial AWS Regions and can be audited via AWS CloudTrail. There is no additional EventBridge charge, though standard AWS KMS pricing applies.

🔐 AWS introduces Multi-Region keys for AWS Payment Cryptography, a built-in option to automatically synchronize exportable symmetric payment keys from a primary Region to one or more replica Regions. You can choose account-level defaults or per-key replication targets, keep consistent key IDs across Regions, and rely on asynchronous replication with monitoring via new CloudTrail events. The feature improves availability and disaster recovery for global payment operations while preserving granular control over replication.

🔐 AWS IoT Core now supports customer-managed keys (CMK) via AWS KMS, enabling encryption of data stored in IoT Core with customer-controlled keys. When CMK is selected, AWS automatically re-encrypts existing stored data and manages the transition to avoid operational disruption. The feature is available in all Regions where IoT Core is supported and enhances control over key lifecycle — creation, rotation, monitoring, and deletion.

🔐 This AWS Security Blog post, republished July 30, 2025, demonstrates how to migrate an Oracle 19c Transparent Data Encryption (TDE) keystore on Amazon EC2 from a file-based wallet to AWS CloudHSM using the CloudHSM Client SDK 5. It walks through prerequisites—CloudHSM cluster, CloudHSM admin and crypto users, network connectivity—and stepwise commands to install the client and PKCS#11 library, adjust Oracle WALLET_ROOT/TDE_CONFIGURATION, and run the ADMINISTER KEY MANAGEMENT migration. The guide also covers creating an auto-login keystore, verifying V$ENCRYPTION_WALLET status, and outlines benefits such as FIPS-validated hardware, centralized management, and improved compliance.