Envelope Encryption using AWS KMS
- call
GenerateDataKeyto getPlaintextandCiphertextBlob -
PlaintextandCiphertextBlobareDEKandwrapped_DEKrespectively - use
Plaintextto encrypt your message, and storeCiphertextBlobfor decryption in the future - when decrypting, get
Plaintextfrom KMS by using storedCiphertextBlob
terms learned:
KEK = the long-lived master key (your KMS key). It never leaves KMS. You don’t handle it directly.
DEK = short-lived data key used to encrypt the data. You get it from KMS, use it locally, then discard it.
You store the wrapped (encrypted) DEK, not the plaintext DEK.
What I was wondering:
Q: When KEK is rotated, how would we update the exisiting CiphertextBlob which is build using an older KEK?
A: when KEK (key encription key) is rotated on KMS, it would not affect the existing CiphertextBlob.
This old CiphertextBlob will remain cryptographically strong and safe.
Q: Would the service know when the KEK is rotated?
A: Use GetKeyRotationStatus which will give us
{
"KeyId": "string",
"KeyRotationEnabled": boolean,
"NextRotationDate": number,
"OnDemandRotationStartDate": number,
"RotationPeriodInDays": number
}
Benefits
Enhanced Security:
It adds a crucial layer of security, protecting not just the data, but also the key used to encrypt that data.
Efficient Key Management:
You only need to securely store and manage the KEKs. The DEKs, which are generated frequently and used for a single piece of data, don't need to be kept in a high-security location.
Simplified Key Rotation:
To rotate an encryption key, you can generate a new KEK and re-encrypt all the DEKs with it, rather than having to re-encrypt all the original data.
Scalability:
It's a fundamental technique used by cloud providers like AWS and Google Cloud to manage encryption at scale, allowing for the secure handling of large volumes of data.