Skip to main content
banner image
venafi logo

How Safe Are Private Keys in the Cloud?

How Safe Are Private Keys in the Cloud?

cloud safe security venafi
November 26, 2018 | Guest Blogger: Miguel A. Calles, MBA

Private keys are important files to protect because they are used to encrypt sensitive data. Critical damage to companies and individuals may result if these files fall into the wrong hands. Therefore, these files not only need protection, they also need a backup and disaster recovery (BDR) plan. Private key BDR in the cloud has its benefits but it also has its downsides.

Benefits of the Cloud

The cloud as a BDR solution has exploded due to its convenience, lower infrastructure costs, and the availability of application programming interfaces (APIs) for integrating BDR into processes. The data is stored in an anonymous server somewhere in the cloud infrastructure. The cloud provider guarantees a certain level of availability and redundancy for that data. Thus, the worry about losing a file is diminished and the amount of effort to increase integrity and availability is increased.

Downsides of the Cloud

The cloud inherently suffers from lacking confidentiality. By definition, it is difficult to keep something secret if you are sharing it with another party whom you have little control over its actions. Data is replicated in the cloud for increased availability becomes a double-edged sword when trying to permanently delete a file from the cloud; you can fully never know if a data remnant still exists somewhere unaccounted. Furthermore, it is possible for data to be stolen in the event the provider is compromised and the data was not properly secured, whether by the user’s data misconfiguration or a security hole in the provider’s infrastructure. Once data is put in the cloud it can become public in the process of time.

Strategies for Using the Cloud

The traditional approach is to have all data stored in a physical device in proximity, also called an on-premise solution. A cloud solution has data stored in a physical device in a location unknown to you. A company or individual can opt to use a hybrid approach where certain data is stored on-premise and certain data is stored in the cloud.

For example, if you have extremely sensitive data you may choose to store it only on-premise. The data is encrypted with a private key to increasing the level of confidentiality. You may choose to save the private key on-premise in multiple media: a data store different from the encrypted data, a portable hard drive locked in a safe, and optical media (i.e. CD or DVD) with an encryption password. It would be best to avoid the cloud and store another copy of the key in a different trusted location. But, if the cloud is desired, the file should have the following an unambiguous filename; stored under an unambiguous account name; vendor-provided data security options enabled; long key length; and short key life. Reducing risk and the extent of damage is imperative for key sensitive data.

In another example, sensitive data which has less than catastrophic impacts to a business or an individual can be stored with both on-premise and cloud solutions. The data would be encrypted for storage in the hybrid approach. The private key still needs to be protected. The private key can be stored on-premise with the same rigor as the previous example. For the cloud solution, storing the private key under a different account name with a different cloud provider would reduce risk, in addition to following the same rigor as the previous example.

Using Vendor Capabilities

Vendors, from inception, understood they are contending with security as a barrier to the adoption of the cloud. Many provide built-in security features to address this concern. For example, Amazon Web Services provides in-transit encryption and at-rest encryption capabilities with support for self-managed and vendor-managed private keys. Data is transferred to the cloud can be protected with secure technologies, e.g. HTTPS, SSL, and TLS. Data stored in the cloud can be encrypted with a customer-provided key or a vendor-provided key; using a vendor key might be compromised if the administrator account is compromised. Any private keys backed up to the cloud can also be encrypted with a different key.


Private keys can have a level of security and reduced risk when stored in the cloud. Providers have come a long way to provide a security feature in the cloud. Both the on-premise and cloud solutions suffer from similar threats: vulnerabilities from outdated software and operating system, and insufficient cyber hygiene. Having insecure passwords and un-patched data stores diminish any security strategies. Cloud providers are diligent with cyber hygiene and work with security researchers to address zero-day vulnerabilities, which makes cloud solutions stronger from a cyber hygiene perspective. The downfalls of using the cloud stem from a weak security strategy.

Are private keys safe in the cloud? They can be when good vendors, good security strategies, and good cyber hygiene are put in place. Given the dynamic nature of the cloud, the sheer number of keys that are generated in a short amount of time can quickly become a management challenge.

An important part of this process involves investing in a solution that manages and protects machine identities across cloud and on-premise environments. One such solution is Venafi Trust Protection Platform, which allows organizations to continuously monitor their digital keys and certificates for signs of abuse.

Related posts

Like this blog? We think you will love this.
Featured Blog

Traditional Security Won’t Cut It for Secure Cloud-Native Applications: Here’s Why

The risks of securing cloud-native with traditional security measu

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Guest Blogger: Miguel A. Calles, MBA
Guest Blogger: Miguel A. Calles, MBA
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more