What is the difference between envelope encryption and traditional encryption?

Envelope encryption and traditional encryption differ in how they handle data encryption keys and the encryption process.

Traditional Encryption:
In traditional encryption, a single key (symmetric) or a pair of keys (asymmetric) is used to directly encrypt and decrypt the data. For example, AES (Advanced Encryption Standard) is a symmetric encryption algorithm where the same key encrypts and decrypts the data. This approach is simple but has risks if the key is compromised.

Envelope Encryption:
Envelope encryption uses a two-layer approach:

1. A data encryption key (DEK) is generated to encrypt the actual data.
2. The DEK is then encrypted using a key encryption key (KEK), which is securely stored (e.g., in a key management service).

This method enhances security because the DEK is never stored in plaintext. Even if the encrypted data is exposed, the DEK remains protected by the KEK.

Example:

• Traditional Encryption: Encrypting a file with AES-256 using a single key. If the key is stolen, the file can be decrypted.
• Envelope Encryption: Generating a random AES-256 key to encrypt the file, then encrypting the AES key with a KEK stored in Tencent Cloud's Key Management Service (KMS). The DEK is only decrypted when needed, reducing exposure risks.

Tencent Cloud KMS supports envelope encryption, allowing users to securely manage KEKs while encrypting data with transient DEKs. This is ideal for protecting sensitive data in cloud storage or databases.