Envelope Encryption — Storing Secrets in the Cloud
Envelope Encryption — Storing Secrets in the Cloud
With envelope encryption, we take our data, and then encrypt it with a Data Encryption Key (DEK) — also known as a data key. We then take the DEK and encrypt it with a Customer Master Key (CMK) — also known as a root key. After this we can store the encrypted DEK alongside the encrypted data. In Figure 1, we see that Alice has the CMK and Wendy has the DEK. Wendy takes Alice’s data, and then encrypts this with her DEK, and either she or Alice can take Alice’s CMK and encrypts the DEK. Both the encrypted data and the encrypted DEK can be stored together (as in an envelope). To decrypt the data, Alice uses her CMK to decrypt the Encrypted DEK to reveal the DEK, and which can then be used to decrpt the data.
One area that envelope encryption is used is with the AWS Secrets Manager. In Figure 2, we see that Alice has updated the password on the database (1). She then stores the secret password in the AWS Secrets Manager (2). Next, when Bob’s application wants to use the database, it retrieves the password from the Secrets Manager (3), and then applies this to access the database (4).
With AWS Secrets Manager, whenever a new secret is created, the KMS (Key Management Service) creates a new encryption for the CMK to encrypt the data key (DEK). The DEK is then used to encrypt the secret data — as envelope encryption. When the secret is accessed, the KMS key is used to decrypt the data key (DEK), and which then decrypts the secret data. The data key is never stored in an unencrypted form, and is always disposed of after it has been used. Another layer of protection that is applied is the mandatory use of a TLS connection for the request for secrets.
Conclusions
The usage of the DEK allows for the actual encryption to be used, and where it is never actually stored. Only with the customer key, can we reveal the data encryption key. So, that’s one way to keep a secret: