What are the data storage requirements for envelope encryption?

Envelope encryption requires specific data storage considerations to manage both the data encryption keys (DEKs) and the customer master keys (CMKs) securely. Here's a breakdown:

1. Storage for Encrypted Data: The encrypted data (using DEKs) is stored in your primary storage system, such as databases, object storage, or file systems. For example, if you encrypt files in a cloud storage bucket, the encrypted files are stored directly in the bucket.

2. Storage for DEKs: The DEKs (used to encrypt the actual data) must be encrypted with a CMK and stored alongside the encrypted data. This ensures that the DEKs are protected while remaining accessible for decryption. For instance, when encrypting a database record, the DEK used for that record is encrypted with a CMK and stored in the same database.

3. Storage for CMKs: The CMKs (used to encrypt DEKs) are stored in a secure key management system, such as a cloud-based Key Management Service (KMS). The CMKs should never leave this system to maintain security. For example, Tencent Cloud's KMS service securely stores and manages CMKs, allowing you to encrypt and decrypt DEKs without exposing the CMKs.

Example Workflow:

• A user generates a DEK locally to encrypt sensitive data (e.g., a database entry).
• The DEK is then encrypted using a CMK from Tencent Cloud KMS.
• The encrypted DEK is stored alongside the encrypted data, while the CMK remains in Tencent Cloud KMS.
• During decryption, the encrypted DEK is retrieved and decrypted using the CMK from Tencent Cloud KMS, then used to decrypt the data.

Tencent Cloud KMS provides a robust solution for managing CMKs, ensuring compliance with security best practices for envelope encryption.