Skip to main content

AWS Exam Prep: What Is Envelope Encryption?

I hold AWS Certified SysOps Administrator, AWS Certified Developer, and AWS Certified Solutions Architect certifications.

Encryption is a method of scrambling data so that unauthorized individuals like hackers can't access it

Encryption is a method of scrambling data so that unauthorized individuals like hackers can't access it

If you're preparing for the AWS Certified Developer Associate (DVA-C01) certification exam, you need to understand the concept of envelope encryption at a high level. While it's not particularly difficult to understand, remembering which key does what can be confusing.

This is an example of potential answers to a question on one of the AWS Certified Developer Associate practice tests I took. This particular question involved a two-part answer.

  • Use the GenerateDataKey operation to get a data encryption key then use the plaintext data key in the response to encrypt data locally
  • Erase the plaintext data key from memory and store the encrypted data key alongside the locally encrypted data

The wrong choices in a question like this will mix up the keys. For example, instead of erasing the plaintext key from memory, a wrong option might involve erasing the encrypted key from memory. To get a question like this correct on practices tests or on the actual certification exam, you have to know exactly what task each of these keys does when encrypting and decrypting data.

Why Is Envelope Encryption Necessary?

Envelope Encryption is necessary because AWS KMS Customer Master Keys (CMKs) can only encrypt data up to 4KB in size. Because this limit is so low envelope encryption is used to encrypt a data key that can then be used to encrypt larger amounts of data. Envelope encryption uses these keys:

  • Customer Master Key (CMK)
  • Encrypted data key
  • Plaintext data key

I'll use a sports analogy that may make envelope encryption easier to understand.

Sports Analogy

Imagine there's a sport called Encryptball. Each round involves the team captain and two players. Here are the rules:

  • The captain chooses two players (Player A and Player B) to play the first round
  • Player A takes the ball and charges to the end zone in an attempt to score a goal
  • Afterward, Player B stays on the field while Player A goes back to the sidelines
  • At the beginning of the second round, the captain asks Player B who is still on the field to choose a player from the sidelines
  • That player comes onto the field and attempts to stop a player on the other side from reaching the end zone

Here's how this relates to envelope encryption:

  • The captain on this team is the Customer Master Key (CMK)
  • The two players sent out onto the field are the encrypted data key and the plaintext data key
  • At the end of the round, the encrypted data key stays on the field while the plaintext data key goes back to the sidelines
  • At the start of the next round, the CMK has the encrypted data key choose a player from the sidelines to serve as the plaintext data key

Real World Example

Now imagine a computer application that must encrypt social security numbers. The application uses a KMS Customer Master Key (CMK) to generate a data key using the GenerateDataKey API. This data key has two versions:

  • An encrypted version
  • A plaintext version
The KMS Customer Master Key (CMK) creates an encrypted data key and a plaintext data key

The KMS Customer Master Key (CMK) creates an encrypted data key and a plaintext data key

Scroll to Continue
  • The plaintext version encrypts the data
  • The encrypted version gets stored in the database with that data
  • The plaintext key is erased from memory

This is like the two players in the game. One stays on the field because they are still needed while the other goes back to the sidelines.

The plaintext key encrypts the data before being erased while the encrypted key is stored with the data

The plaintext key encrypts the data before being erased while the encrypted key is stored with the data

Of course, an application that has to encrypt data also has to decrypt it when it's needed. These are the decryption steps:

  • KMS decrypts the encrypted data key
  • This creates a plaintext version that then decrypts the data

This is like the captain telling Player B (the encrypted data key) to choose a player from the sidelines. This player (the plaintext key) attempts to stop a member of the opposing team from reaching the end zone.

KMS uses the encrypted data key to create a plaintext key which decrypts the data

KMS uses the encrypted data key to create a plaintext key which decrypts the data

To sum up envelope encryption:

  • The CMK creates a data key with two versions: encrypted and plaintext
  • The plaintext version encrypts the data and is then erased
  • The encrypted version is stored with the data

To sum up decryption:

  • KMS decrypts the encrypted data key
  • This creates a plaintext key
  • The plaintext key decrypts the data

Look at these answers to a question on a practice test again. They should make sense now.

  • Use the GenerateDataKey operation to get a data encryption key then use the plaintext data key in the response to encrypt data locally
  • Erase the plaintext data key from memory and store the encrypted data key alongside the locally encrypted data

Encrypting Data with AWS KMS Simply Explained

The easiest way to understand envelope encryption is to break down the steps.

This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.

© 2022 LT Wright

Related Articles