KMS envelope encryption
Definition
KMS envelope encryption is a method of encrypting data where a data encryption key (DEK) is used to encrypt the actual data, and this DEK is itself encrypted with a key encryption key (KEK) managed by a Key Management Service (KMS). This approach allows for efficient encryption and decryption processes, as the DEK can be used to quickly encrypt and decrypt data, while the KEK provides an additional layer of security by protecting the DEK.
Secure Settings Example
# Example using AWS KMS with envelope encryption
resources:
- type: aws_kms_key
properties:
key_usage: ENCRYPT_DECRYPT
key_spec: SYMMETRIC_DEFAULT
description: "KMS key for envelope encryption"
enable_key_rotation: true
# Encrypting data
aws kms encrypt --key-id alias/my-kms-key --plaintext fileb://data.txt --output text --query CiphertextBlob > encrypted_data.txt
# Decrypting data
aws kms decrypt --ciphertext-blob fileb://encrypted_data.txt --output text --query Plaintext > decrypted_data.txt
Insecure Settings Example
# Example of insecure KMS configuration
resources:
- type: aws_kms_key
properties:
key_usage: ENCRYPT_DECRYPT
key_spec: SYMMETRIC_DEFAULT
description: "KMS key without key rotation"
enable_key_rotation: false # Key rotation is disabled, reducing security
# Encrypting data without using KMS
openssl enc -aes-256-cbc -salt -in data.txt -out encrypted_data.txt -pass pass:my-weak-password