tags: #publish links: [[Security]], [[AWS]], [[AWS Key Management Service (KMS)]] created: 2020-12-07 Mon --- # Envelope Encryption Roughly speaking: Data is encrypted with a **data key**, and then *the data key is encrypted with a master key* and stored with the data. In [[AWS Key Management Service (KMS)]] terminology: - The master key (**Customer Master Key (CMK)** never leaves KMS and is not used directly to encrypt data, only to encrypt other keys. - **Data keys** are encrypted/decrypted with a CMK by calling KMS. - **Data keys** are used by your application to encrypt your data, and stored alongside it in encrypted form. - To support multi-region, the same data key is encrypted with multiple master keys from different regions, all results stored in the envelope with your data. https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#enveloping https://cloud.ibm.com/docs/key-protect?topic=key-protect-envelope-encryption https://cloud.google.com/kms/docs/envelope-encryption