Envelope Encryption is a high-performance encryption and decryption solution for handling massive data. For larger files or performance-sensitive data encryption, use the GenerateDataKey API to generate a Data Encryption Key (DEK). By only transmitting the DEK to the KMS server (encrypted and decrypted via CMK), all business data is processed using efficient local symmetric encryption, minimizing the impact on the user experience.
In practical business scenarios with high data encryption performance requirements and large volumes of encrypted data, generating DEKs for local data encryption and decryption ensures the necessary encryption performance while also relying on KMS to guarantee the randomness and security of the data keys.
KMS Encryption Scheme Comparison
Comparison Item
Encrypting Sensitive Information
Envelope Encryption
Associated Keys
CMK
CMK、DEK
Performance
Symmetric Encryption, Remote Invocation
Minimal Remote Symmetric Encryption, Massive Local Symmetric Encryption
Primary Scenarios
Keys, certificates, and small data, suitable for scenarios with lower invocation frequency.
Massive large-scale data, suitable for scenarios with high performance requirements.
Schematic Diagram
In this scenario, the CMK generated by KMS serves as a crucial resource for generating and obtaining the plaintext and ciphertext of the DEK. Based on the actual business scenario, users first encrypt local data in memory using the DEK plaintext, then store the DEK ciphertext and encrypted data on disk. Subsequently, in the business decryption scenario, KMS is used to decrypt the DEK ciphertext, and finally, the decrypted DEK plaintext is used to decrypt the data in memory.
Features
Efficient: All business data is processed using efficient local symmetric encryption, minimizing the impact on the user experience. As for the creation and encryption/decryption overhead of DEKs, except in extreme cases where a "one-time pad" scheme is required, most scenarios allow for the reuse of a DEK's plaintext and ciphertext over a period of time. Therefore, in most cases, this overhead is minimal.
Secure and user-friendly: The security of Envelope Encryption is ensured by the protection provided by KMS keys. Business data is safeguarded by DEK, while Tencent Cloud KMS protects the DEK and offers enhanced availability. Your primary key is mainly used to generate DEKs, and only entities with key access permissions can perform operations.
Supports and Limits
Pay attention to the secure storage of SecretId and SecretKey:
Tencent Cloud API authentication primarily relies on SecretID and SecretKey, which are the user's unique authentication credentials. Business systems require these credentials to call Tencent Cloud APIs.
Pay attention to the access control of SecretID and SecretKey:
It is recommended to use sub-accounts and manage risks by granting interface permissions based on business requirements.
Caution should be exercised when handling plaintext keys in business systems:
In Envelope Encryption scenarios, symmetric encryption is used. Therefore, the plaintext key must not be stored on disk and should be used within the memory of the business process.
DEK processing by the backend system:
In envelope encryption scenarios, symmetric encryption is used. Depending on business requirements, the same data key can be reused, or different data keys can be used for different users and times to avoid DEK duplication.
