Applicable cryptographic concepts
Key Management Service helps you manage encryption keys, but understanding some basic cryptographic concepts lets you make the most out of the service.
Symmetric keys are keys used both for data encryption and decryption. At the Preview stage, KMS only supports symmetric keys.
Envelope encryption uses two types of encryption keys to simplify and improve data security: the data itself is encrypted locally using a data encryption key, while this key is encrypted with a symmetric KMS key.
As a result, you can store data encryption keys along with data: to decrypt the data, you must first decrypt the key used to encrypt it. This lets you control access to your encrypted data by managing the encryption keys.
Key Management Service support additional checks during decryption with KMS keys: you can pass the AAD context ( Additional Authentication Data) as a string in your encryption request. For data encrypted this way, the decryption request must include the AAD context specified at encryption as a parameter.