DEV Community

Chirag Modi
Chirag Modi

Posted on • Updated on

AWS KMS Envelope Encryption

Background and Introduction

Traditionally applications used to store security keys used for data encryption/decryption in application config files. Drawback of storing it in config files is risk involved if not stored and managed properly.

AWS Key Management Service (KMS) is fully managed service offering which AWS itself is using to encrypt/decrypt data at rest for different AWS services like S3, EBS, RDS, etc..

AWS KMS is highly available key management service to access, store, audit secret keys called CMKs (Customer Master Keys).

There are two types of CMKs (Customer Master Keys).

AWS Managed CMKs

  • AWS creates keys for each of its services which provides data encryption. These keys are managed by AWS and it's default CMK used to encrypt/decrypt data for particular service.
  • Customer does not have much control on it as it can only be viewed in KMS.

Customer Managed CMKs

  • Customer creates keys in KMS and has full control over management of keys like Audit log, Key rotation, Key deletion, etc...
  • Customer can also upload their own keys to KMS.

How Envelope Encryption works ?

AWS KMS key called CMK (Customer Master Key) is used to encrypt/decrypt data but there is limitation of it as it can encrypt data up to 4KB only so the question pops up then how it's using it for encryption of big datasets in S3, EBS, etc...

You got it right - Envelope Encryption.

Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key.

Let's see how envelope encryption works but before encrypting any data customer needs to create one or more CMKs (Customer Master Keys) in AWS KMS.

enter image description here


  • API request is sent to KMS to generate Data key using CMK.
  • KMS returns response with Plain Data key and Encrypted Data key (using CMK).
  • Data is encrypted using Plain Data key.
  • Plain Data key is removed from memory.
  • Encrypted Data and Encrypted Data Key is packaged together as envelope and stored.


  • Encrypted Data key is extracted from envelope.
  • API request is sent to KMS using Encrypted Data key which has information about CMK to be used in KMS for decryption.
  • KMS returns response with Plain Data Key.
  • Encrypted Data is decrypted using Plain Data key.
  • Plain Data Key is removed from memory.


I tried to explain here what is Envelope Encryption in AWS KMS and how can we encrypt/decrypt large amount of data using envelope encryption method.

I am looking forward to put hands-on exercise on this in next article.

Thanks for joining me.


Top comments (0)