Photo by erica steeves on Unsplash

Envelope Encryption — Storing Secrets in the Cloud

With envelope encryption, we take our data, and then encrypt it with a Data Encryption Key (DEK) — also known as a data key. We then take the DEK and encrypt it with a Customer Master Key (CMK) — also known as a root key. After this we can store the encrypted DEK alongside the encrypted data. In Figure 1, we see that Alice has the CMK and Wendy has the DEK. Wendy takes Alice’s data, and then encrypts…