Envelope encryption is a high-performance encryption and decryption solution for massive data. Rather than using the CMK to directly encrypt and decrypt data, it uses the data encryption key (DEK), and seals it in an envelope (that is, encryption through CMK) for storage, transmission and use, and the randomness and security of the DEK is ensured by KMS.

This way, users do not need to upload a large number of business data to the KMS server, and can directly encrypt and decrypt data locally through offline DEKs, effectively eliminating security risks and ensuring business encryption performance.

Scenario Diagram

Procedure

Envelope Encryption

1. Create a CMK in the KMS console or by calling the CreateKey API.

2. Call the GenerateDataKey API to generate a DEK. KMS returns a plaintext DEK and a ciphertext DEK encrypted by the CMK;

3. Use the plaintext DEK to encrypt the local files and then delete the plaintext DEK from the memory.

4. Store the ciphertext DEK and encrypted data files on a persistent storage device or service.

Envelope Decryption

1. Retrieve the ciphertext DEK from the local files.

2. Call the Decrypt API of KMS to decrypt the ciphertext DEK into the plaintext DEK.

3. Use the plaintext DEK to decrypt the local files and then delete the plaintext DEK from the memory.

Key Management Service