Skip to main content

OVHcloud KMS architecture overview

Stephanie R.
Updated

Learn how we handle the resilience of the OVHcloud KMS (Key Management Service).

 

Instructions

The OVHcloud KMS architecture has three main objectives:

  • Confidentiality: Assure that no one except you can access your key.
  • Availability: Offering a high level of resilience and, therefore, high availability.
  • Integrity: Making sure that keys cannot be lost or altered.

 

Access Management

Access to the keys is controlled by the OVHcloud IAM. Only the users allowed by an IAM policy can manage the keys or use them to encrypt or sign data.

Even the OVHcloud employees cannot access your keys.

 

KMS architecture

The OVHcloud KMS is, by design, replicated across multiple data centers.

manage_KMS_architecture01*.png

 

KMS components location

Each KMS Region consists of several hosts in a single OVHcloud Region.

These hosts are partitioned into two different zones so that any single hardware failure is as unlikely as possible to take out both zones at once.

 

Data resilience

  • DB Replication

The KMS will not return a success status for creating or importing key material unless that data was successfully replicated to both zones. This is to ensure that if one of the databases is lost, no key will be lost. Consequently, if one zone becomes unavailable, the KMS will refuse to create new keys. However, existing keys will still be available to perform cryptographic operations.

The key material is also replicated to a second database in a different region. Because replication to a remote region has a higher latency, we do not wait for that replication to be complete before returning a success status to the user. Replication to the remote region will typically lag a few seconds at most behind the main region.

  • DB Backups

Regular backups are taken from the replica every 5 minutes. Each of the backups is stored in a different region: the first in the primary KMS region and the second in a different KMS region.
These backups are kept for 30 days.

 

Data security

All customer data is always encrypted and stored in the databases and the backups.

 

Backup location

The backup location depends on the location of the OVHcloud KMS.

  • US-EAST-VA
    • KMS Backup Region: US-WEST-OR
  • US-WEST-OR
    • KMS Backup Region: US-EAST-VA

 

Disaster scenarios

What happens if one host in a zone is lost?

Keys remain available, and traffic is redirected to the other zone. Requests in flight can timeout or return errors. If the database is down, the KMS will refuse to create or import new keys.

 

What happens if a zone is lost?

Keys remain available. The other zone stays available to serve user queries but will refuse to create or import new keys.

 

What happens if the primary region is lost?

The keys created in the last seconds can be lost, and the KMS becomes unavailable. Database replica will be used at the region and rebuilt to retrieve stored keys.

 

What happens if the primary region and the remote replica are lost?

The keys created in the last 5 minutes can be lost, and the KMS becomes unavailable. Database backup will be used at the region and rebuilt to retrieve stored keys.

 

Go further

For more information and tutorials, please see our other Manage & Operate support guides or explore the guides for other OVHcloud products and services.

Related articles