Envelope Encryption

What is it ?

Envelope Encryption is an approach/process used within many applications to encrypt data. Using this approach your data is protected two-fold.

How does this work ?

  • Typically there are many long term keys or master keys that is held in a key management system (KMS).
  • When you need to encrypt some message :
    • A request is sent to the KMS to generate a data key  based on one of the master keys.
    • KMS returns a data key, which usually contains both the plain text version and the encrypted version of the data key.
    • The message is encrypted using the plain text key.
    • Then both the encrypted message and the encrypted data key are packaged into a structure (sometimes called envelope) and written.
    • The plain text key is immediately removed from memory.
  • When it comes time to decrypt the message:
    • The encrypted data key is extracted from the envelope.
    • KMS is requested to decrypt the data key using the same master key as that was used to generate it.
    • Once the plain text version of the data key is obtained then the encrypted message itself is decrypted.


Using this approach if one wants to decrypt data, they need be authenticated with the KMS, since the master keys are only held there and never exported, and only the KMS can decrypt the data keys.




In the next post I will show how this can be done using AWS.


Click to access KMS-Cryptographic-Details.pdf

What’s So Special About Digital Envelope Encryption?



2 thoughts on “Envelope Encryption

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s