Key management and cryptography

I've read an interesting quote:

Kissner’s law: Cryptography converts many problems into key management problems, and key management problems are way harder than you think.

This resonates with my experience. There is a huge difference between encrypted storage when encryption happens on the client-side and when it's managed by the server, for example.

I've written a couple of articles about encryption mostly in the context of the cloud.

In the Seamless S3 encryption does not imply better security I wrote:

SSE-S3 helps to tick a box, but nothing else

This was at the time when by default objects were stored unencrypted and there was an option to turn on seamless encryption. Since it did not change how objects are accessed (hence the "seamless" in the name) it had no observable effect.

Then in a separate article, Encryption in the cloud, I looked into other, non-seamless variety of encryption in AWS. My conclusion was mainly about KMS:

encryption does nothing else but splits permissions into two required parts

This is because if an object is encrypted using a KMS key then the user needs two permissions: one is to read the object, the other is to use the key to decrypt it. But since there is no way to get back the encrypted object itself, it is only a separate inter-service access control layer.

Finally, after the Zoom fiasco when they claimed that they use end-to-end encryption but did not, I wrote an article What is end-to-end encryption and why it's such a confusing term. In it, I looked how TLS termination breaks E2EE and also how key management determines who can access the data.