Envelope Encryption: The Security Pattern Every Cloud Developer Should Know
When building cloud applications that handle sensitive data, encryption isn’t optional, it’s essential. But there’s an important difference between just doing the basic encryption vs. implementing it correctly at scale. In this article, we’ll explore envelope encryption, a pattern that AWS, Google Cloud, and Azure all use internally and recommend for production applications. What Is Envelope Encryption? Envelope encryption is a cryptographic pattern where you use two layers of keys: Data Encryption Key (DEK): A symmetric key that encrypts your actual data locally Key Encryption Key (KEK): A KMS-managed master key that encrypts the DEK Think of it like a safety deposit box inside another safety deposit box. Your jewelry (I mean ‘data’) are locked in the inner box (encrypted with DEK), and the key to that inner box is itself locked in the outer box (DEK encrypted with KEK stored in cloud KMS). ...