Approach for Client-Side Encryption with AWS KMS, Separate Keys for Each Column, and Key Rotation

If you decided to pursue client-side encryption, check out AWS Encryption SDK. It’s a client-side encryption library designed to make it easy for you to encrypt and decrypt data using industry standards and best practices. The library performs envelope encryption on behalf for you. Envelope encryption is a scheme in which unique data key is generated and encrypted under your root key and then plaintext data key is used to encrypt your data. To decrypt the data, your root key is used to decrypt the encrypted data key to retrieve the plaintext data key which is then used to decrypt your data. Using this method, you can encrypt each field value under its unique data key.

For key management, it’s up to you decide if you want to have a root key per column, or single root key for all columns. If you use envelope encryption scheme and not directly encrypt data with your root key, then single root key should be sufficient given that you are exclusively using root key for encrypt data keys only and there’s no risk of crypto wear out (assuming sufficiently large root key size). The one benefit you get for having a unique root key per column is controlling your blast radius in case where your root key is compromised. However, if you are using KMS to protect your root key, then this should be of less concern. You can also rotate your root key conveniently from KMS and not affect your previously generated data keys. See this blog for more information on rotation.

If you have flexibility on using other database, check out AWS Database Encryption SDK for DynamoDB.