Technology Encyclopedia Home >How does envelope encryption work?

How does envelope encryption work?

Created on 2025-07-07 16:48:46
37

Envelope encryption is a method of encrypting data where a data encryption key (DEK) is used to encrypt the actual data, and then the DEK itself is encrypted using a key encryption key (KEK). This approach combines the efficiency of symmetric encryption for data with the security of asymmetric encryption for key management.

Here’s how it works:

  1. Generate a DEK: A symmetric key (DEK) is created to encrypt the data. Symmetric encryption is fast and suitable for large datasets.
  2. Encrypt the data: The DEK is used to encrypt the actual data payload.
  3. Encrypt the DEK: The DEK is then encrypted using a KEK, which is typically an asymmetric key (e.g., RSA or ECC). The KEK is securely stored in a key management system (KMS).
  4. Store or transmit: The encrypted data and the encrypted DEK are stored or transmitted together.

When decrypting:

  1. The KEK (from the KMS) decrypts the encrypted DEK.
  2. The decrypted DEK is then used to decrypt the data.

Example:
A cloud application stores sensitive user files. It generates a DEK to encrypt each file. The DEK is encrypted with a KEK stored in Tencent Cloud’s Key Management Service (KMS). The encrypted file and encrypted DEK are saved to storage. When accessing the file, the application retrieves the encrypted DEK, decrypts it using the KEK from KMS, and then uses the DEK to decrypt the file.

Tencent Cloud’s KMS provides secure KEK storage, automated key rotation, and fine-grained access control, making it ideal for envelope encryption workflows.