Get started
Yandex Key Management Service

Envelope encryption

Encryption with the encrypt method is limited to a maximum amount of data that can be encrypted (32 KB). Larger data volumes cause a number of problems:

  • Increased load on KMS caused by encryption and decryption operations.

  • Decreased efficiency of encryption and decryption using the encrypt and decrypt methods with larger amounts of data to encrypt.

    The encrypt and decrypt operation time includes transferring data from the client to KMS and back. As the amount of encrypted data increases, its transmission time and the load on the network increase, too.

Envelope encryption is mainly implemented on the client side and helps avoid the problems listed above.

Description of the encryption process

Unlike direct encryption, where a KMS key acts as a data encryption key, envelope encryption involves two types of keys:

  • A data encryption key (DEK).
  • A key encryption key (KEK).

Encryption is preformed as follows:

  1. The client generates a DEK and locally encrypts data with it.

    To generate a high-entropy key, we recommend using the generateDataKey method. It generates keys based on the Fortuna algorithm that collects entropy from various sources (RDSEED and RDRAND, /dev/urandom, host entropy).

  2. The client sends an encrypt request to KMS for DEK encryption.

  3. In response, the client receives the encrypted DEK.

    In this scheme, the KMS key that the DEK is encrypted with acts as a KEK.

  4. The unencrypted DEK is destroyed by the client.

  5. The encrypted DEK is saved by the client along with the ciphertext.

image

When using envelope encryption, a wider set of algorithms is available for local encryption. You can also encrypt data with multiple DEKs, for example, to enable random access to ciphertext.

Description of the decryption process

Decryption is performed as follows:

  1. The client reads the encrypted DEK stored along with the encrypted data.
  2. The client sends a decrypt request to KMS for DEK decryption.
  3. In response, the client receives the decrypted DEK.
  4. The encrypted data is locally decrypted using the DEK.
  5. The DEK is destroyed.

Implementation features of envelope encryption

Envelope encryption shifts some of the responsibility for secure data encryption to the client. When implementing this scheme, it's important to:

  • Use secure algorithms for local encryption.

  • Make sure you don't save DEKs as plaintext.

    Warning

    A plaintext DEK should only be decrypted for the duration of data encryption or decryption operations and destroyed immediately afterwards.

  • Use different DEKs for different data.

  • Generate new DEKs when data is re-encrypted.

To avoid errors, we recommend using the AWS Encryption SDK or Google Tink for client-side encryption.

In this article: