Envelope Encryption
What is Envelope Encryption?
Envelope EncryptionA pattern in which bulk data is encrypted by a fast data encryption key, which is itself encrypted (wrapped) by a master key stored in a KMS or HSM.
Envelope encryption decouples bulk symmetric encryption from key custody. A per-object Data Encryption Key (DEK) - typically a fresh AES-256 key - encrypts the payload, then the DEK is itself encrypted by a long-lived Key Encryption Key (KEK), also called the master key, that never leaves a KMS or HSM. Only the wrapped DEK is stored alongside the ciphertext; decryption requires a KMS call that unwraps the DEK under proper IAM controls. This pattern enables fast local encryption, fine-grained per-tenant or per-record keys, cheap key rotation (rewrap the DEK, not the data), and clean audit trails. It is the basis of AWS KMS, Google Cloud KMS, S3 SSE-KMS, and most cloud storage encryption.
● Examples
- 01
AWS KMS GenerateDataKey returns a plaintext DEK plus its KMS-wrapped form.
- 02
Google Cloud Storage CMEK uses envelope encryption with customer-managed KEKs.
● Frequently asked questions
What is Envelope Encryption?
A pattern in which bulk data is encrypted by a fast data encryption key, which is itself encrypted (wrapped) by a master key stored in a KMS or HSM. It belongs to the Cryptography category of cybersecurity.
What does Envelope Encryption mean?
A pattern in which bulk data is encrypted by a fast data encryption key, which is itself encrypted (wrapped) by a master key stored in a KMS or HSM.
How does Envelope Encryption work?
Envelope encryption decouples bulk symmetric encryption from key custody. A per-object Data Encryption Key (DEK) - typically a fresh AES-256 key - encrypts the payload, then the DEK is itself encrypted by a long-lived Key Encryption Key (KEK), also called the master key, that never leaves a KMS or HSM. Only the wrapped DEK is stored alongside the ciphertext; decryption requires a KMS call that unwraps the DEK under proper IAM controls. This pattern enables fast local encryption, fine-grained per-tenant or per-record keys, cheap key rotation (rewrap the DEK, not the data), and clean audit trails. It is the basis of AWS KMS, Google Cloud KMS, S3 SSE-KMS, and most cloud storage encryption.
How do you defend against Envelope Encryption?
Defences for Envelope Encryption typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Envelope Encryption?
Common alternative names include: Wrapped key encryption, DEK/KEK pattern.
● Related terms
- cryptography№ 588
Key Management System
A centralised service that generates, stores, rotates, and audits cryptographic keys on behalf of applications, typically backed by hardware security modules.
- cryptography№ 589
Key Rotation
The periodic replacement of cryptographic keys with new ones to limit the volume of data protected by any single key and contain the impact of compromise.
- cryptography№ 023
AES-GCM
An authenticated encryption mode that combines AES in counter mode with a GHASH-based authentication tag for confidentiality and integrity in a single pass.
- cloud-security№ 124
Bring Your Own Key (BYOK)
A key-management model where the customer generates or imports its own encryption keys into the cloud provider's KMS instead of relying on provider-generated keys.
● See also
- № 871Proxy Re-Encryption