Ref: https://learn.cantrill.io/courses/2022818/lectures/45640673

• Summary:
• Contents:

Envelope Encryption - Key Concepts

• 🔧 Technique of encrypting encryption keys → secure data under multiple layers of keys
  • 💡 Like locking a key inside a vault, which can only be opened with another key
  • Key Encryption Key (KEK) xDD → key that encrypts/decrypts other keys
  • Data Encryption Key (DEK) → key that encrypts/decrypts bulk data
• Normally a key service stores KEKs, and customers store encrypted DEKs and data
  • Customers send requests to key service to encrypt/decrypt DEKs
  • KEKs → managed by key service; DEKs → managed by customers
  • e.g. AWS Key Management Service (KMS) is the managed key service in AWS
• Benefits
  • 👍 Permission separation (can separate KEK and DEK permissions)
    • A storage admin may manage how data is stored, but might not be able to read what is stored → extra security
  • 👍 Less data sent to key service (DEKs much more lightweight than bulk data)
  • 👍 Each DEK has isolated blast radius → Can encrypt each object with a unique DEK
    • 💡 If you use one DEK to encrypt all your data and DEK is leaked, all data is exposed
    • 💡 If you use unique DEKs to encrypt each data object/file, if one DEK is leaked, only that data object/file is exposed → Security best practice
  • 👍 Can have advantages of both asymmetric and symmetric encryption:
    • Can retain flexibility of asymmetric encryption (if KEKs are asymmetric)
    • Can retain speed/efficiency of symmetric encryption (DEKs usually symmetric)

Envelope Encryption - Encrypt/Decrypt Processes

• Scenario: we have lots of cat pictures stored in Amazon S3 (Simple Storage Service). We wish to keep them secured and encrypted with AWS KMS.
• KMS manages KMS keys, which can only encrypt/decrypt data blobs up to 4kb in size
  • KMS keys usually act as KEKs → can encrypt/decrypt lightweight (<4kb) DEKs
  • KMS keys secured in HSMs in AWS, stay inside KMS, never leave KMS
    • ❗ KMS keys are symmetric, NOT asymmetric! (because they're secured)
  • KMS has independent permissions from S3 and other AWS services → even if you can read/write objects in S3, you may not be able to encrypt/decrypt them with KMS

Encryption Process

1. Customer generates KMS key, indicates it's for use with S3
2. S3 wants to encrypt one cat picture, sends request to KMS to generate a DEK
3. KMS uses KMS key (KEK) to generate a DEK, returns BOTH a plaintext version AND a ciphertext version (wrapped DEK) to S3
4. S3 uses plaintext DEK to encrypt cat picture, then discards plaintext DEK
5. S3 stores ciphertext cat picture together with its wrapped DEK
6. Process repeated for all cat pictures