Envelope Encryption – KMS Data Key Encryption

Envelope Encryption

  • AWS KMS and Google Cloud KMS use a method called envelope encryption to protect the data.
  • Envelope encryption is an optimized method for encrypting data that uses two (or more) different keys — a Key Encryption Key (KEK) and a Data Encryption Key (DEK).
  • Master key is also known as Key Encryption Key – KEK and Data key is also known as Data Encryption Key – DEK.
  • Envelope encryption reduces the network load for the application or the cloud service as only the request and fulfillment of the much smaller data key through KMS must go over the network.
  • The data key is used locally by the encrypting service, avoiding the need to send the entire block of data to KMS and suffer network latency.
  • KMS can encrypt at most 4 KB of data directly. Envelope encryption allows encrypting arbitrarily large payloads by using locally generated data keys.
  • Envelope encryption can reduce KMS-related costs by up to 99% by minimizing the number of KMS API calls — only the data key wrapping/unwrapping goes through KMS, while encryption/decryption of actual data happens locally.

Envelope encryption key hierarchy

Root Key

  • A root key is an encryption key that is used to encrypt other encryption keys, such as data keys and key encryption keys. Unlike data keys and key encryption keys, root keys must be kept in plaintext so they can be used to decrypt the keys that they encrypted.
  • Key Management Service (KMS) generates and protects the root keys within FIPS 140-2 (AWS) or FIPS 140-3 (latest) validated Hardware Security Modules (HSMs).
  • In AWS KMS, root keys are referred to as KMS keys (previously called Customer Master Keys or CMKs — the CMK term was deprecated in August 2021).

Key Encryption Key – KEK

  • A key encryption key is an encryption key that is used to encrypt a data key or another key encryption key.
  • Key encryption key is encrypted (wrapped) by using a root key.
  • In Google Cloud KMS, the KEK is the Cloud KMS key used to wrap (encrypt) the DEK. The KEK never leaves Cloud KMS.

Data Encryption Key – DEK

  • A data key or data encryption key is an encryption key that is used to protect data.
  • Data keys differ from root keys and key encryption keys, which are typically used to encrypt other encryption keys.
  • Best practice is to use a strong algorithm such as 256-bit Advanced Encryption Standard (AES) in Galois Counter Mode (GCM) for DEKs.
  • A new DEK should be generated every time data is written — this eliminates the need to rotate DEKs separately.
  • DEKs should always be stored encrypted (wrapped by a KEK) and near the data they encrypt for easy access.

Envelope Encryption Process

  • Encryption
    • Create a KMS key (root/master key) in your KMS service.
    • Generate a data key using the KMS API (e.g., AWS KMS GenerateDataKey API).
    • KMS returns both the plaintext data key and the encrypted (ciphertext) data key.
    • Use the plaintext data key locally to encrypt the data.
    • Store the encrypted data key alongside the encrypted data.
    • Immediately discard the plaintext data key from memory.
  • Decryption
    • Retrieve the ciphertext data key and encrypted data from storage.
    • Call KMS Decrypt API to decrypt the ciphertext data key using the KMS key. The plaintext data key is returned.
    • Use the plaintext data key to decrypt the data locally.
    • Discard the plaintext data key from memory after use.
  • Encrypting the data key is more efficient than re-encrypting the data under the new key because it is quicker and produces a much smaller ciphertext.

Envelope Encryption Benefits

  • Protecting data keys
    • When you encrypt a data key, you don’t have to worry about storing the encrypted data key, because the data key is inherently protected by encryption. You can safely store the encrypted data key alongside the encrypted data.
  • Encrypting the same data under multiple keys
    • Encryption operations can be time-consuming, particularly when the data being encrypted are large objects.
    • Instead of re-encrypting raw data multiple times with different keys, you can re-encrypt only the data keys that protect the raw data.
  • Combining the strengths of multiple algorithms
    • In general, symmetric key algorithms are faster and produce smaller ciphertexts than public key algorithms.
    • But public key algorithms provide inherent separation of roles and easier key management.
    • Envelope encryption lets you combine the strengths of each strategy.
  • Performance and scalability
    • Only the small data key (typically 256 bits) needs to transit the network to KMS, not the large data payload.
    • Reduces latency since encryption/decryption of the actual data is performed locally.
    • Helps stay within KMS API request rate quotas for high-throughput workloads.
  • Overcoming the 4 KB KMS size limit
    • KMS keys can only directly encrypt data up to 4 KB. Envelope encryption removes this limitation by using locally generated data keys for the actual encryption.

AWS KMS Envelope Encryption APIs

  • GenerateDataKey — Returns a plaintext data key and a copy encrypted under the specified KMS key. Use this when you need to encrypt data immediately.
  • GenerateDataKeyWithoutPlaintext — Returns only the encrypted data key. Use this when you don’t need to encrypt data immediately but want to store a key for future use.
  • GenerateDataKeyPair — Returns an asymmetric data key pair (public key in plaintext, private key in plaintext and encrypted). Useful for client-side encryption where different parties encrypt/decrypt.
  • GenerateDataKeyPairWithoutPlaintext — Returns only the public key in plaintext and the private key encrypted.
  • Encrypt — Encrypts up to 4 KB of plaintext directly using a KMS key (not envelope encryption).
  • Decrypt — Decrypts a ciphertext that was encrypted by a KMS key, including encrypted data keys.

AWS Encryption SDK

  • The AWS Encryption SDK is a client-side encryption library that implements envelope encryption as a best-practice pattern.
  • It generates a unique symmetric data key for each encryption operation by default.
  • Supports multiple wrapping keys (KMS keys) — allowing the same data to be decryptable by multiple keys.
  • Includes key commitment — ensures the ciphertext can only be decrypted to a single plaintext (prevents ciphertext ambiguity attacks).
  • Data Key Caching — An optional feature that reuses data keys for multiple encryption operations to reduce KMS API calls and cost. Should be used cautiously with appropriate security thresholds (max age, max messages, max bytes).
  • Available for Java, Python, C, JavaScript, and .NET.

Key Rotation and Envelope Encryption

  • When a KMS key is rotated, only new data keys are encrypted with the new key material.
  • Previously encrypted data keys remain decryptable because AWS KMS retains all previous versions of the key material.
  • This means you do not need to re-encrypt all your data when rotating the KMS key — only the key wrapping changes for new operations.
  • AWS KMS Key Rotation Updates (April 2024):
    • Flexible automatic rotation periods — customizable between 90 days and 2,560 days (previously fixed at 365 days).
    • On-demand rotation — rotate key material immediately using RotateKeyOnDemand API, independent of the automatic rotation schedule.
    • Rotation visibility improvements — track rotation history and key material versions.
    • Cost capped at 2 rotations — $1/month is added for the first and second rotation; all subsequent rotations are free.
    • Imported key rotation (June 2025) — On-demand rotation is now supported for symmetric-encryption KMS keys with imported key material (EXTERNAL origin).

Post-Quantum Cryptography and Envelope Encryption

  • As quantum computing advances, organizations must prepare for potential threats to current cryptographic algorithms (store-now-harvest-later attacks).
  • AWS KMS Post-Quantum Support (2025):
    • ML-KEM (Module-Lattice Key Encapsulation Mechanism) — Post-quantum key exchange now supported in TLS connections to AWS KMS, ACM, and Secrets Manager (April 2025). Protects data in transit against future quantum threats.
    • ML-DSA (Module-Lattice Digital Signature Algorithm) — Post-quantum digital signatures supported in AWS KMS (June 2025). Enables quantum-resistant signing operations within FIPS 140-3 Level 3 certified HSMs.
  • Google Cloud KMS Post-Quantum Support (2025):
    • Announced support for quantum-safe Key Encapsulation Mechanisms (KEMs) in preview (June 2025).
    • Quantum-safe digital signatures available in Cloud KMS (February 2025).
  • While envelope encryption itself (symmetric AES-256-GCM for data) remains quantum-resistant, the key exchange and wrapping mechanisms need post-quantum upgrades.

KMS Key Storage Options

  • Standard KMS Key Store — Default option. Keys are stored and protected in multi-tenant FIPS-validated HSMs managed by AWS.
  • Custom Key Store (CloudHSM-backed) — Keys are stored in a dedicated AWS CloudHSM cluster you own and control. Provides single-tenant HSM with direct key control.
  • External Key Store (XKS) — Introduced November 2022. Keys are stored in an external key management system outside of AWS. Designed for regulated workloads requiring keys to remain outside AWS at all times. Key operations may have higher latency due to external dependencies.
  • Google Cloud EKM (External Key Manager) — Similar to AWS XKS, allows using keys managed by a supported external key manager with Google Cloud services.

Envelope Encryption in AWS Services

  • Amazon S3 — Uses envelope encryption for Server-Side Encryption with KMS (SSE-KMS). Each object is encrypted with a unique data key, which is wrapped by the KMS key.
  • Amazon EBS — Encrypts volumes using data keys wrapped by a KMS key. Supports default encryption for all new volumes.
  • Amazon RDS/Aurora — Uses envelope encryption for encryption at rest of databases, automated backups, snapshots, and read replicas.
  • Amazon DynamoDB — Encryption at rest uses envelope encryption with AWS managed or customer managed KMS keys.
  • AWS Secrets Manager — Encrypts secret values using envelope encryption with KMS keys.
  • Amazon EKS — Supports default envelope encryption for all Kubernetes API data (secrets). Uses KMS keys for encrypting data encryption keys at the Kubernetes layer.
  • Amazon MSK (Managed Streaming for Apache Kafka) — Supports envelope encryption with KMS for data at rest.

Google Cloud KMS Envelope Encryption

  • Google Cloud KMS uses a similar key hierarchy with DEKs and KEKs.
  • The Encrypt and Decrypt operations in Cloud KMS are limited to 64 KiB input size (vs 4 KB in AWS KMS).
  • For larger data, use envelope encryption with a local DEK wrapped by a Cloud KMS KEK.
  • Best practices for DEKs in Google Cloud:
    • Generate DEKs locally.
    • Always store DEKs encrypted at rest.
    • Store the DEK near the data it encrypts.
    • Generate a new DEK every time you write data.
    • Use AES-256-GCM cipher for data encryption.
  • Google Cloud offers client-side encryption with Tink library, which implements envelope encryption with Cloud KMS as the KEK provider.
  • Customer-Managed Encryption Keys (CMEK) — Allows control over encryption keys used by Google Cloud services, leveraging Cloud KMS for key management.
  • Customer-Supplied Encryption Keys (CSEK) — Available for Cloud Storage and Compute Engine; you supply your own AES-256 key as the KEK.

AWS Certification Exam Tips

  • Envelope encryption is a key topic for AWS Solutions Architect Associate (SAA-C03), AWS Security Specialty (SCS-C02), and AWS Developer Associate (DVA-C02) exams.
  • Understand the difference between direct KMS encryption (up to 4 KB) and envelope encryption (unlimited data size).
  • Know when to use GenerateDataKey vs Encrypt API — if data exceeds 4 KB, envelope encryption with GenerateDataKey is required.
  • Understand that the plaintext data key should be discarded from memory immediately after use.
  • Key rotation does not require re-encrypting existing data — old key material is retained for decryption.
  • Know the role of Encryption Context as additional authenticated data (AAD) that provides integrity and authenticity.

Practice Questions

  1. A company needs to encrypt files larger than 100 MB using AWS KMS. Which approach should they use?
    1. Use the KMS Encrypt API directly
    2. Split the file into 4 KB chunks and encrypt each with KMS
    3. Use envelope encryption with GenerateDataKey to create a data key, then encrypt the file locally
    4. Use AWS CloudHSM directly without KMS
    Show Answer

    Answer: c – KMS Encrypt can only handle up to 4 KB. Envelope encryption uses a locally generated data key for encrypting large files.

  2. In envelope encryption, what happens when the KMS key is rotated?
    1. All previously encrypted data must be re-encrypted
    2. All previously encrypted data keys must be re-wrapped
    3. Only new data keys are wrapped with the new key material; old data keys remain decryptable
    4. The rotation fails if there are existing encrypted data keys
    Show Answer

    Answer: c – AWS KMS retains all previous key material versions, so old data keys encrypted under older material can still be decrypted.

  3. Which AWS KMS API should be used to obtain a data key for envelope encryption when you need to encrypt data immediately?
    1. Encrypt
    2. GenerateDataKeyWithoutPlaintext
    3. GenerateDataKey
    4. CreateKey
    Show Answer

    Answer: c – GenerateDataKey returns both the plaintext and encrypted data key for immediate use. GenerateDataKeyWithoutPlaintext only returns the encrypted copy.

  4. What is the maximum data size that can be encrypted directly using the AWS KMS Encrypt API?
    1. 256 bytes
    2. 4 KB
    3. 64 KB
    4. 1 MB
    Show Answer

    Answer: b – The KMS Encrypt API can encrypt up to 4,096 bytes (4 KB) of plaintext directly.

  5. A developer wants to reduce AWS KMS API costs for an application that performs thousands of encryption operations per second. Which approach is recommended? (Select TWO)
    1. Use the AWS Encryption SDK with data key caching
    2. Call KMS Encrypt for each operation
    3. Implement envelope encryption to minimize KMS API calls
    4. Increase the KMS API request quota
    5. Use SSE-S3 instead of SSE-KMS
    Show Answer

    Answers: a, c – Data key caching reuses data keys to reduce KMS calls, and envelope encryption itself minimizes KMS interactions by using local encryption.

  6. Which statement about AWS KMS key rotation is correct as of 2024? (Select TWO)
    1. Automatic rotation can only occur every 365 days
    2. On-demand rotation is available via the RotateKeyOnDemand API
    3. Rotation periods can be customized between 90 and 2,560 days
    4. Key rotation requires re-encrypting all existing data
    5. Rotation is only supported for AWS managed keys
    Show Answer

    Answers: b, c – Since April 2024, AWS KMS supports flexible rotation periods (90-2,560 days) and on-demand rotation independent of automatic schedules.

References