Implementing Envelope Encryption With Aws Kms

• Understand the envelope encryption pattern and its advantages
• Generate data encryption keys using AWS KMS GenerateDataKey
• Encrypt/decrypt data locally using DEKs
• Store encrypted DEK alongside ciphertext
• Implement key caching to reduce KMS API calls
• Handle key rotation with automatic re-encryption
• Implement multi-region encryption for disaster recovery

Key Concepts

Envelope Encryption Flow

1. Call kms:GenerateDataKey to get plaintext DEK + encrypted DEK
2. Use plaintext DEK to encrypt data locally (AES-256-GCM)
3. Store encrypted DEK alongside ciphertext
4. Discard plaintext DEK from memory
5. For decryption: call kms:Decrypt on encrypted DEK, then decrypt data

Advantages Over Direct KMS Encryption

KMS Key Types

• AWS Managed: AWS creates and manages (aws/s3, aws/ebs)
• Customer Managed: You create and manage policies
• Custom Key Store: Backed by CloudHSM cluster

Security Considerations

• Never store plaintext DEK; only keep encrypted DEK
• Use key policies to restrict who can call GenerateDataKey and Decrypt
• Enable AWS CloudTrail logging for all KMS API calls
• Implement key rotation (automatic annual rotation for CMKs)
• Use encryption context for authenticated encryption metadata
• Handle KMS throttling with exponential backoff

Validation Criteria

• GenerateDataKey returns plaintext and encrypted DEK
• Data encrypts correctly with plaintext DEK using AES-256-GCM
• Encrypted DEK can be decrypted via KMS Decrypt API
• Decrypted DEK recovers the original data
• Plaintext DEK is wiped from memory after use
• Encryption context is validated during decryption
• Key rotation re-encrypts DEKs with new master key