Envelope Encryption — Storing Secrets in the Cloud
With envelope encryption, we take our data, and then encrypt it with a Data Encryption Key (DEK) — also known as a data key. We then take the DEK and encrypt it with a Customer Master Key (CMK) — also known as a root key. After this we can store the encrypted DEK alongside the encrypted data. In Figure 1, we see that Alice has the CMK and Wendy has the DEK. Wendy takes Alice’s data, and then encrypts this with her DEK, and either she or Alice can take Alice’s CMK and encrypts the DEK. Both the encrypted data and the encrypted DEK can be stored together (as in an envelope). To decrypt the data, Alice uses her CMK to decrypt the Encrypted DEK to reveal the DEK, and which can then be used to decrpt the data.
One area that envelope encryption is used is with the AWS Secrets Manager. In Figure 2, we see that Alice has updated the password on the database (1). She then stores the secret password in the AWS Secrets Manager (2). Next, when Bob’s application wants to use the database, it retrieves the password from the Secrets Manager (3), and then applies this to access the database (4).