Envelope Encryption

  • Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key.

  • You can even encrypt the data encryption key under another encryption key, and encrypt that encryption key under another encryption key, etc.

    • But, eventually, one key must remain in plaintext so you can decrypt the keys and your data.

    • This top-level plaintext key encryption key is known as the master key.

  • KMS helps you to protect your master keys by storing and managing them securely.

  • Master keys stored in KMS, known as CMKs, never leave the AWS KMS FIPS validated hardware security modules unencrypted.

  • To use a KMS CMK, you must call KMS.

PreviousS3 Server-side EncryptionNextS3 Best Practice

Last updated

Was this helpful?