KMS Envelope Encryption
Process of encrypting envelope key
- Use Customer Master Key to encrypt the envelope Key
- Envelope key is used to encrypt data
Decryption with AWS
- Encrypted Data Key
- Use KMS Master key to Decrypt Data Key
- Use Plain Text Data Key to decrypt data
Envelope Encryption
When you encrypt your data, your data is protected, but you have to project your encryption key. One strategy is to encrypt it. Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypted the data key under another key.
You can even encrypt the data encryption key under another encryption key, and encrypt that encryption key under another encryption key. But, eventually, one key must remain in plaintext so you can decrypt the keys and your data. This top-level plaintext key encryption key is known as the master key.
KMS helps you to protect your master keys by storing and managing them securely. Master keys stored in AWS KMS, known as customer master keys (CMKs), never leave the AWS KMS FIPS validated hardware security models unencrypted. To use an AAWS KMS CMK, you must call AWS KMS.
Envelope Encryption offers several benefits:
- Protecting Data Keys
- When you encrypt a data key, you don't have to worry about storing the encrypted data key, because the data key is enherently protected by encryption. You can safely store the encrypted data key alongside the encrypted data.
- Encrypting the same data under multiple master keys
- Encryption operations can be time-consuming, particularly when the data being encrypted are large objects. Instead of re-encrypting raw data multiple times with different keys, you can re-encrypt only the data keys that protect the raw data.
- Combining the strengths of multiple algorithms
- In general, symmetric key algorithms are faster and produce smaller ciphertexts than public key algorithms, but public key algorithms provide inherent separation of roles and easier key management. Envelope encryption lets you combine the strengths of each strategy.