← Lessons

quiz vs the machine

Platinum1820

Security

Envelope Encryption

Encrypt data with a data key, then encrypt that key with a master key for scalable security.

6 min read · advanced · beat Platinum to climb

The Scaling Problem

Encrypting huge volumes of data directly with one master key is slow and dangerous: every operation touches the most precious key, and rotating it would mean re encrypting everything. Envelope encryption solves this with two layers of keys.

How It Works

  • Generate a unique data encryption key for the data or object.
  • Encrypt the data with that data key using fast symmetric encryption.
  • Encrypt the data key itself with a key encryption key, often held in a key management service.
  • Store the encrypted data key alongside the ciphertext.

To read the data, you ask the key service to decrypt the data key, then use it to decrypt the data.

Why This Helps

  • The master key never leaves the key management service; only data keys travel.
  • Rotating the master key means re encrypting only the small data keys, not all data.
  • Each object can have its own data key, limiting the blast radius of a leaked one.

Key idea

Envelope encryption protects data with per object data keys and wraps those keys under a master key, so the master stays safe and rotation only touches small keys.

Check yourself

Answer to earn rating on the learn ladder.

1. In envelope encryption, what encrypts the actual data?

2. Why does rotating the master key stay cheap?

3. Where does the master key ideally stay?