Envelope encryption is an encryption mechanism similar to the digital envelope technology. Envelope encryption allows you to encrypt data by using data keys and encapsulate data keys in an envelope to ensure security during the storage, transfer, and use of data keys. Customer master keys (CMKs) are not used to directly encrypt or decrypt data.

Benefits

You may encounter the following issues when you use data keys:

  • Security risks: Security risks such as eavesdropping and phishing may occur during the process of transferring your sensitive data to Alibaba Cloud over the network.
  • Absence of mutual trust and reliable certificates: You may not trust Alibaba Cloud and may not want to upload your sensitive data to Alibaba Cloud. In addition, Alibaba Cloud cannot prove that it will never misuse or leak the received sensitive data.
  • Poor performance and high costs: If you have a large amount of sensitive data, a secure channel is required to transfer the data to an Alibaba Cloud server and the processed data must be encrypted before the server transfers the data to you. Such a process has a great impact on the service performance of Alibaba Cloud. In addition, high costs are required to transfer a large amount of data.

Envelope encryption has the following benefits:

  • Protection for data keys: When data is encrypted by envelope encryption, data keys are also encrypted. Encrypted data and encrypted data keys can be safely stored together.
  • Provision of trust and reliable certificates: Key Management Service (KMS) implements access control on and generates trackable logs for all operations on data keys. KMS also provides records of all data keys to meet your auditing and compliance requirements.
  • High performance and cost-effectiveness: KMS calls key-related API operations to generate online data keys and uses offline data keys to encrypt a large number of local files.

Encrypt and decrypt local files

  • Encryption processEncryption
    1. Create a CMK.
    2. Call the GenerateDataKey operation to generate a data key. KMS returns the plaintext and ciphertext of the data key.
    3. Use the plaintext data key to encrypt the local files.
    4. Store the ciphertext data key and encrypted files on a persistent storage device or service.
  • Decryption processDecryption
    1. Retrieve the ciphertext data key and encrypted files from the persistent storage device or service.
    2. Call the Decrypt operation to decrypt the ciphertext data key. The plaintext data key is returned.
    3. Use the plaintext data key to decrypt the files.

Examples

You can use one of the following SDKs to implement envelope encryption:

  • KMS SDK

    Use KMS SDK to call the GenerateDataKey operation to generate a data key. Then, use a third-party encryption library and the data key to encrypt your data. After the encryption process is complete, encapsulate the ciphertext data key and encrypted data in an envelope.

    For more information about the sample code of KMS SDK, see Encrypt and decrypt local files.

  • Encryption SDK

    Encryption SDK provides the best practices of envelope encryption. You can implement encryption and decryption with ease by using Encryption SDK.

    For more information about the sample code of Encryption SDK, see Quick start of Encryption SDK for Java.