AWS Secrets Manager Supports Hybrid Key Exchange With ML-KEM Algorithm

A software upgrade now allows mitigation of the long-term threat of quantum computers cracking encrypted secrets stored within AWS Secrets Manager. The service now supports TLS 1.3 with hybrid post–quantum key exchange for clients that support this capability, combining established cryptography like X25519 with post-quantum algorithms such as ML-KEM. This proactive measure addresses the “harvest now, decrypt later” risk, where malicious actors store encrypted data to decrypt once quantum computers become powerful enough. Secrets already at rest are protected by AWS Key Management Service using symmetric encryption, which is considered quantum-resistant; asymmetric cryptography faces quantum threats. This launch is part of AWS’s ongoing commitment to migrate systems to post-quantum cryptography and to make it straightforward for customers to do the same. Harvest Now, Decrypt Later (HNDL) Risk Mitigation Quantum-resistant cryptography is an increasingly important consideration for long-term data security. The escalating capabilities of quantum computing pose a potential risk to existing encryption methods, prompting a proactive shift in security strategies. This combination bolsters security against both classical and potential quantum attacks, offering a layered approach to data protection. Mitigating HNDL risk through AWS Secrets Manager is streamlined; regardless of how a workload accesses Secrets Manager, a client-side software upgrade is the only action needed to address risk from HNDL. This simplicity belies the complexity of the underlying cryptographic advancements, offering a relatively painless transition for users concerned about long-term data security. Properly implemented symmetric encryption, already employed by AWS Key Management Service (AWS KMS) for secrets at rest, is considered quantum-resistant, providing a foundational layer of protection. However, the vulnerability lies in asymmetric cryptography, which is why the focus has shifted to bolstering key exchange protocols. Several AWS clients have been updated to prioritize this hybrid post-quantum TLS connection.

The Secrets Manager Agent (version 2.0.0 or later), the AWS Lambda extension (version 19 or later), and the Secrets Manager CSI Driver (version 2.0.0 or later) all now enable and prefer post-quantum key exchange when connecting to Secrets Manager. For developers utilizing AWS SDKs, hybrid post-quantum key exchange is available in supported versions, with specific requirements varying by language and operating system. Users can verify that connections are actively using hybrid post-quantum key exchange by using AWS CloudTrail, Wireshark, or browser developer tools. For SDK-based clients, hybrid post-quantum key exchange is available in supported AWS SDKs, though enablement requirements vary by language, version, and operating system. See the following table for your SDK client. When a client is upgraded to support hybrid post-quantum key exchange, the Secrets Manager service endpoint automatically selects it during the TLS handshake. Upgrading to the versions listed in the table is the only action needed for a workload to begin using hybrid post-quantum key exchange when calling Secrets Manager APIs. TLS 1.3 & Hybrid Post-Quantum Key Exchange Implementation Amazon Web Services is now actively deploying defenses against potential “harvest now, decrypt later” (HNDL) attacks targeting data in transit, signaling a shift from theoretical preparation to practical implementation of post-quantum cryptography. This proactive stance centers on an upgrade to Transport Layer Security (TLS) 1.3, incorporating a hybrid key exchange approach that combines established cryptographic algorithms with post-quantum algorithms like ML-KEM. The implementation, currently rolling out across AWS Secrets Manager, is not a distant future consideration. Regardless of how workloads access Secrets Manager, “upgrading the client-side of your workloads to support quantum-resistant confidentiality is an important aspect of your side of the post-quantum cryptography shared responsibility model,” and a single software update is sufficient to address the HNDL risk. This ease of implementation is a deliberate strategy, aiming to lower the barrier to entry for organizations seeking to bolster their quantum resilience. This isn’t a complete overhaul of existing security infrastructure; this layered approach acknowledges that the post-quantum cryptography challenge isn’t solely about key exchange, but about securing data throughout its lifecycle. Users can verify that connections are actively using hybrid post-quantum key exchange using AWS CloudTrail, Wireshark, or browser developer tools. He partners with AWS customers to design and implement security architectures that address both current and emerging threats.

Secrets Manager Client Upgrade Requirements (v2.0.0+) Researchers at AWS are proactively addressing the evolving threat landscape with updates to their Secrets Manager service, focusing on bolstering defenses against potential future attacks leveraging quantum computing. The core of this effort lies in a client-side software upgrade, version 2.0.0 and later for several key clients, designed to mitigate the “harvest now, decrypt later” (HNDL) risk. This strategy acknowledges that even currently encrypted secrets could be vulnerable once sufficiently powerful quantum computers become available, prompting a shift towards quantum-resistant cryptography. Properly implemented symmetric encryption is considered quantum-resistant; asymmetric cryptography faces quantum threats. Regardless of how your workload accesses Secrets Manager, this client-side software upgrade is the only action you need to take to address risk to secrets from HNDL.

Verifying Hybrid Post-Quantum Key Exchange with CloudTrail Establishing confidence in newly deployed cryptographic defenses requires more than just implementation; verifiable proof of operation is paramount, and AWS is leveraging its CloudTrail service to provide this for its hybrid post-quantum key exchange offering within Secrets Manager. For SDK-based clients, hybrid post-quantum key exchange is available in supported AWS SDKs. Enablement requirements vary by language, version, and operating system. However, simply upgrading the client isn’t enough for some organizations; security teams and compliance officers require demonstrable evidence of correct operation. This is where CloudTrail comes in, logging detailed information about API calls, including the TLS negotiation parameters. Verification involves a two-step process: first, retrieving a secret using one of the supported clients, triggering a GetSecretValue API call, and then examining the corresponding CloudTrail event. On the server side, hybrid post-quantum key exchange in TLS can be confirmed by using AWS CloudTrail. On the client side, TLS handshake details can be inspected using a utility like Wireshark or by using developer tools built into major web browsers. Note : The userAgent value depends on the client you use. Asymmetric vs. Symmetric Encryption & Quantum Resistance While much attention focuses on the looming threat of quantum computers breaking current encryption, a nuanced reality exists regarding which cryptographic methods are most vulnerable and how quickly defenses are being deployed. It is a common misconception that all encryption will be rendered useless; the immediate danger lies with asymmetric, or public-key, cryptography, while symmetric encryption is considered quantum-resistant and offers a degree of resilience. This isn’t simply a matter of preparing for a distant future; the “harvest now, decrypt later” (HNDL) attack scenario is a present concern. The speed with which AWS has enabled hybrid post-quantum key exchange across multiple client integrations, including SDKs for Rust, Go, and Node.js, demonstrates a commitment to addressing this risk. She delights in assisting her customers at any step of their security journey. Source: https://aws.amazon.com/blogs/security/protecting-your-secrets-from-tomorrows-quantum-risks/ Tags: