Technology Encyclopedia Home >What is the workflow of envelope encryption?

What is the workflow of envelope encryption?

Created on 2025-07-08 14:12:33
56

Envelope encryption is a cryptographic technique that combines symmetric and asymmetric encryption to securely encrypt data. Here's the workflow with an example and a relevant cloud service recommendation:

  1. Generate a Data Encryption Key (DEK): A symmetric key (e.g., AES-256) is randomly generated to encrypt the actual data.

    • Example: A 256-bit AES key is created to encrypt a large file.

  2. Encrypt the Data with the DEK: The symmetric key encrypts the data.

    • Example: The AES key encrypts the file, producing ciphertext.

  3. Encrypt the DEK with a Key Encryption Key (KEK): An asymmetric key pair (e.g., RSA or ECC) is used to encrypt the DEK. The KEK is typically stored securely, such as in a key management system.

    • Example: The AES key is encrypted using an RSA public key, resulting in an encrypted DEK.

  4. Store or Transmit the Encrypted Data and Encrypted DEK: The ciphertext and encrypted DEK are stored or sent together. The KEK remains secure.

    • Example: The encrypted file and encrypted AES key are saved to a database.

  5. Decrypt the DEK with the KEK: When needed, the KEK decrypts the DEK.

    • Example: The RSA private key decrypts the AES key.

  6. Decrypt the Data with the DEK: The symmetric key decrypts the original data.

    • Example: The AES key decrypts the file back to plaintext.

For secure key management in cloud environments, Tencent Cloud Key Management Service (KMS) can be used to store and manage KEKs, ensuring compliance and reducing operational overhead. It supports envelope encryption workflows by integrating with other Tencent Cloud services for data protection.