Envelope encryption is an encryption mechanism similar to the digital envelope technology. Envelope encryption allows you to store, transfer, and use encrypted data by encapsulating its data keys (DKs) in an envelope, instead of encrypting/decrypting data directly with Customer Master Keys (CMKs).
Using cloud services to directly encrypt/decrypt user data causes the following problems:
- Security risks
- When a client transmits sensitive information over the Internet to a service, risks exist, including eavesdropping and phishing.
- Difficulty proving trust and credibility
- Users may not trust some cloud services, so they may not want to upload sensitive data.
- It is difficult for cloud services to prove that they will not misuse or leak data.
- Poor performance, high costs
- Large volumes of data must be transmitted to servers through secure channels and then encrypted before being returned to users. This has a major impact on users’ service performance.
- We all know that, in a distributed system, we must do our best to implement mobile computing instead of mobile data, as large volumes of mobile data lead to extremely high costs.
- Create a CMK.
- Call the GenerateDataKey interface of the KMS to generate data keys. You can obtain a plaintext data key and a ciphertext data key.
- Use the plaintext data key to encrypt the file and generate a ciphertext file.
- Save the ciphertext data key and the ciphertext file to a persistent storage device or service.
- Read the ciphertext data key and the ciphertext file from the persistent storage device or service.
- Call the Decrypt interface of the KMS to decrypt the ciphertext data key to obtain the plaintext data key.
- Use the plaintext data key to decrypt the file.