Envelope Encryption

Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key.
You can even encrypt the data encryption key under another encryption key, and encrypt that encryption key under another encryption key, etc.
- But, eventually, one key must remain in plaintext so you can decrypt the keys and your data.
- This top-level plaintext key encryption key is known as the master key.

KMS helps you to protect your master keys by storing and managing them securely.
Master keys stored in KMS, known as CMKs, never leave the AWS KMS FIPS validated hardware security modules unencrypted.
To use a KMS CMK, you must call KMS.

Last updated 3 years ago