Implementing Envelope Encryption with AWS KMS
Overview
Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a master key (KEK) managed by AWS KMS. This approach allows encrypting large volumes of data locally while keeping the master key secure in a hardware security module (HSM) managed by AWS. This skill covers implementing envelope encryption using AWS KMS GenerateDataKey API.
Objectives
- Understand the envelope encryption pattern and its advantages
- Generate data encryption keys using AWS KMS GenerateDataKey
- Encrypt/decrypt data locally using DEKs
- Store encrypted DEK alongside ciphertext
- Implement key caching to reduce KMS API calls
- Handle key rotation with automatic re-encryption
- Implement multi-region encryption for disaster recovery
Key Concepts
Envelope Encryption Flow
- Call
kms:GenerateDataKey to get plaintext DEK + encrypted DEK
- Use plaintext DEK to encrypt data locally (AES-256-GCM)
- Store encrypted DEK alongside ciphertext
- Discard plaintext DEK from memory
- For decryption: call
kms:Decrypt on encrypted DEK, then decrypt data
Advantages Over Direct KMS Encryption
| Aspect |
Direct KMS |
Envelope Encryption |
| Max data size |
4 KB |
Unlimited |
| Latency |
Network round-trip per operation |
Local encryption |
| Cost |
$0.03/10,000 requests |
Fewer KMS requests |
| Offline |
Not possible |
Yes (with cached DEKs) |
KMS Key Types
-
AWS Managed: AWS creates and manages (
aws/s3, aws/ebs)
-
Customer Managed: You create and manage policies
-
Custom Key Store: Backed by CloudHSM cluster
Security Considerations
- Never store plaintext DEK; only keep encrypted DEK
- Use key policies to restrict who can call GenerateDataKey and Decrypt
- Enable AWS CloudTrail logging for all KMS API calls
- Implement key rotation (automatic annual rotation for CMKs)
- Use encryption context for authenticated encryption metadata
- Handle KMS throttling with exponential backoff
Validation Criteria
