Envelope encryption security is ensured through a combination of cryptographic techniques and key management practices. Here's how it works:
- Data Encryption Key (DEK): A unique symmetric key (DEK) is generated to encrypt the actual data. This ensures fast and efficient encryption of large datasets.
- Key Encryption Key (KEK): The DEK is then encrypted using a separate asymmetric key pair (KEK), typically stored in a secure key management system. This adds an extra layer of protection.
- Secure Key Storage: The encrypted DEK (envelope) is stored alongside the encrypted data, while the KEK remains securely stored in a key management service (KMS).
- Access Control: Only authorized entities with access to the KEK can decrypt the DEK and subsequently access the encrypted data.
Example:
- A company encrypts sensitive user data using a DEK.
- The DEK is encrypted with a KEK stored in Tencent Cloud's Key Management Service (KMS).
- Even if the encrypted data is exposed, attackers cannot decrypt it without access to the KEK in Tencent Cloud KMS.
Tencent Cloud KMS provides secure key storage, access policies, and audit logs to enhance envelope encryption security.