EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
cloud-securityencryptionAESGCM

Encryption Fundamentals for Cloud Security

Symmetric vs. asymmetric encryption, AES operating modes in cloud platforms, envelope encryption as the cloud standard, encrypting data across all three states, and the post-quantum cryptographic standards NIST finalised in 2024.

Ashish Revar3 July 202614 min read1 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Reference material

eBook
Cloud Security — eBook
v2026
Open resource
Cheatsheet
Cloud Security — Cheatsheet
v2026
Open resource
MCQ Bank
Cloud Security — MCQ Bank
v2026
Open resource
Question Bank
Cloud Security — Question Bank
v2026
Open resource

External references

NIST SP 800-175B: Guideline for Using Cryptographic Standards

NIST guidance on selecting and using approved cryptographic algorithms and modes.

paper
NIST SP 800-175B: Guideline for Using Cryptographic Standards

NIST guidance on selecting and using approved cryptographic algorithms and modes.

paper
NIST Post-Quantum Cryptography Standards (FIPS 203, 204, 205)

NIST post-quantum cryptography project page with links to FIPS 203, 204, and 205 standards.

paper
NIST Post-Quantum Cryptography Standards (FIPS 203, 204, 205)

NIST post-quantum cryptography project page with links to FIPS 203, 204, and 205 standards.

paper
AWS KMS Encryption Context and Envelope Encryption

AWS KMS developer guide explaining envelope encryption, data keys, and encryption context.

blog
AWS KMS Encryption Context and Envelope Encryption

AWS KMS developer guide explaining envelope encryption, data keys, and encryption context.

blog
Google Cloud Encryption at Rest Whitepaper

Google Cloud technical whitepaper on default encryption implementation across all GCP services.

paper
Google Cloud Encryption at Rest Whitepaper

Google Cloud technical whitepaper on default encryption implementation across all GCP services.

paper
More articlesTest your knowledge

Why Encryption Is the Last Line of Defence

Perimeter controls fail. Credentials get stolen. Insider threats are real. Encryption is the control that makes stolen data useless — without the key, ciphertext is computationally irretrievable. In cloud environments where you share physical infrastructure with unknown tenants, encryption is not optional.

Symmetric Encryption

Symmetric encryption uses the same key for encryption and decryption. It is fast and efficient, making it ideal for encrypting large volumes of data (files, database records, storage volumes).

AES (Advanced Encryption Standard) is the universal symmetric standard:

  • AES-128: 128-bit key, 10 rounds — considered secure for most commercial applications
  • AES-256: 256-bit key, 14 rounds — recommended for sensitive government and financial data

AES Operating Modes in Cloud Platforms

The mode determines how AES processes data blocks — and the wrong mode choice breaks security even with a perfect key.

ModeFull NameCloud UseSecurity Note
ECBElectronic CodebookAlmost neverIdentical plaintext blocks produce identical ciphertext — never use for structured data
CBCCipher Block ChainingLegacy TLS, file encryptionRequires IV; vulnerable to padding oracle attacks (POODLE)
CTRCounterHigh-performance streamingConverts AES to stream cipher; IV must never repeat
GCMGalois/Counter ModeTLS 1.3, AWS, GCP defaultProvides both encryption AND authentication (AEAD); strongly recommended

AWS KMS, GCP Cloud KMS, and Azure Key Vault all use AES-256-GCM as their default encryption mode. Use it.

Asymmetric Encryption

Asymmetric encryption uses a mathematically related key pair: a public key (encrypt/verify) and a private key (decrypt/sign).

  • RSA: Key lengths of 2048-bit (minimum) or 4096-bit. Used for key exchange and digital signatures. Slow for bulk data.
  • ECC (Elliptic Curve Cryptography): Smaller keys, equivalent security. P-256 and P-384 curves preferred. Basis for ECDH key exchange in TLS 1.3.

In cloud, asymmetric encryption is used for:

  • TLS certificate key pairs (HTTPS)
  • SSH key pairs for EC2 access
  • Code signing (AWS Signer, GCP Binary Authorization)
  • KMS key wrapping (encrypting symmetric data keys with an asymmetric master key)

Envelope Encryption — The Cloud Standard

Directly encrypting large datasets with KMS master keys is expensive and limited (KMS operations have rate limits and cost per call). The solution is envelope encryption:

1. Generate a unique Data Encryption Key (DEK) locally
2. Encrypt the data with the DEK (fast, local AES-GCM)
3. Encrypt (wrap) the DEK with the KMS Master Key (KMS API call)
4. Store the encrypted data alongside the encrypted DEK
5. On decryption: call KMS to unwrap the DEK, then decrypt the data locally

This pattern means the KMS master key never leaves the KMS hardware — only the wrapped DEK is transmitted. Every S3 SSE-KMS encryption, every EBS volume encryption, and every RDS encrypted snapshot uses this pattern.

Encryption Across the Three Data States

StateWhat It MeansCloud Implementation
At RestData stored on disk, object storage, databasesS3 SSE-KMS, EBS encryption, RDS encrypted storage
In TransitData moving between componentsTLS 1.2+ for all API calls; VPN/Direct Connect for hybrid
In UseData being processed in memoryAWS Nitro Enclaves, Azure Confidential Computing — Trusted Execution Environments

Data in use (in memory during processing) is the hardest to protect. Confidential computing using Trusted Execution Environments (TEEs) encrypts data even while it is being processed by the CPU.

Post-Quantum Cryptography

Current asymmetric algorithms (RSA, ECC) are vulnerable to cryptographically relevant quantum computers running Shor algorithm. NIST standardised three post-quantum algorithms in 2024:

StandardAlgorithmPurpose
FIPS 203ML-KEM (Module-Lattice KEM)Key encapsulation, replacing RSA/ECDH
FIPS 204ML-DSA (Module-Lattice Digital Signature)Digital signatures, replacing RSA/ECDSA
FIPS 205SLH-DSA (Stateless Hash-Based DSA)Hash-based signatures, alternative to FIPS 204

Crypto-agility — designing systems to swap cryptographic algorithms without redesigning the entire architecture — is now a mandatory design principle. Start planning your migration from RSA and ECC to post-quantum algorithms today.

Key Takeaway

Encryption protects data when every other control has failed. Use AES-256-GCM for data at rest, TLS 1.3 for data in transit, envelope encryption via KMS for key management, and start planning your post-quantum migration now — not when quantum computers arrive.