AWS KMS Envelop Encryption — Explained

Background:

In the past, application teams used to store security keys(used for data encryption/decryption) in application configuration files which is a security risk if your key is exposed to intruders, they can decrypt the data.

Introduction:

Envelope encryption is the practice of encrypting plaintext data with a data key (Explained Below), and then encrypting the data key by using another key. In short, the actual data key (Used to encrypt the date) itself is encrypted by some other key so that it can be secured.

In below Diagram:

1. We have a data key (Explained Below), which we use to encrypt data (Data in EBS, S3 or local disk etc)
2. Then we definitely have to secure the data key using which we encrypted the plain format data. That’s why we encrypt the key with another key (In Diagram, AWS KMS key encrypts the data key), and doing this knows as envelop encryption.

Snippet 1.1 -Envelop Encryption

Data keys:

1. First of all, data key is just like any other normal key out there (Example: .pem key). Only difference is the algorithm it is generated and the purpose it serves is different.
2. Data keys are symmetric keys you can use to encrypt data, including large amounts of data (Even more than 4KB) and other data encryption keys. For example: EBS, S3, RDS(encryption at rest) is achieved with the help of data keys(Under the hood).
3. Unlike KMS Customer Managed Keys(Not allowed to leave AWS KMS Service), data keys are returned to the user for use outside of AWS KMS.
4. When AWS KMS generates data keys, it returns a plaintext data key for immediate use (To Encrypt the data) and an encrypted copy of the data key that you can safely store with the data. Refer to the image below(Snippet 1.2).
5. When you are ready to decrypt the data, you first ask AWS KMS to decrypt the encrypted copy of the data key (Mentioned in above step) and then actually decrypt the data.
6. AWS KMS has responsibility to only generates, encrypts, and decrypts data keys. Once data key is generated, AWS KMS does not store, manage, or track the data keys. That’s why user have to use and manage data keys outside of AWS KMS.
7. With the help of same AWS KMS key, you can generate as many number of data keys as you want.

Snippet 1.2 Data Key Requested from AWS KMS Using CMK

In the above snippet (1.2), we have requested to AWS KMS to generate the data key for us (Using KMS Symmetric Key). As a response, it returns:

#1 — Plaintext data key

#2 — Encrypted data key (CiphertextBlob)

How Envelope Encryption works ?

Encryption Process:

Snippet 1.3 — Encryption process in Envelop Encryption

1. API request is sent to KMS to generate Data key using CMK. (You can do that using AWS CLI OR SDK).
2. KMS returns response with Plain Data key and Encrypted format Data key.
3. The actual data (EBS, Local disk data) then can be encrypted using Plain Data key.
4. As the data has been encrypted, you can remove the Plain Data key from the memory.
5. Store Encrypted Data Key somewhere safely. It will be used in future to decrypt the data.

Decryption Process:

Snippet 1.4 — Decryption process in Envelop Encryption

1. Get the encrypted key from your safe.
2. Send an API request to AWS KMS, to decrypt the key.
3. KMS will return response with Plain Data Key.
4. Decrypt the Encrypted Data using Plain Data key.
5. As the data has been decrypted, you can remove the Plain Data key from the memory.

Summary:

Basically, we have encrypted the key(which we used to encrypt the plain format data) using another key(AWS KMS key in above example). That’s how we achieve envelop encryption. You can do envelop encryption at any number of levels. (Example: First key is encrypted by 2nd and 2nd key is encrypted by 3rd and so on….)

I will perform the demo as part of different article and update the link here.

If you liked this article, please show your appreciation by clapping 👏 below! Happy Learning!