Recently at work, I came across an interesting method to handle encryption at scale called envelope encryption. First of all, it increases security and helps you ease out the management of encryption keys. But it's also a highly recommended pattern by PCI-DSS (Security Standard for Credit Card Processing) and results in much stronger data privacy and data protection of Personally Identifiable Information (PII). When we think of data, there are 3 places we can think of encrypting it: We will be dealing primarily with encryption at rest, and envelope encryption is a popular pattern for this use case. Envelope encryption involves encrypting your data with a Data Encryption Key, then encrypting the Data
Encryption Key (DEK) with a Customer Master Key (CMK). You then store both the encrypted data and the encrypted DEK alongside each other in the database. This practice of using a wrapping key to encrypt data keys is known as envelope encryption. You need to understand these two keys before we see how the encryption process takes place:
Customer Master Keys/Root Keys/Key Encryption Keys (CMK)These are symmetric keys used to encrypt, decrypt, and re-encrypt data. They can also generate Data Encryption Keys that you can use outside of the KMS system. They follow the below rules:
In systems like Google Cloud Key Management Service, you have a hierarchy of keys as seen below (you can find more information here): Data Encryption Keys (DEK)Data keys are encryption keys you can use to encrypt data, including large amounts of data and other data encryption keys. Unlike CMK's, which can't be downloaded, data keys are returned to you for use outside of the KMS. Some of the best practices for DEKs are as follows:
Envelope Encryption ProcessFirst, an API request is sent to KMS to generate Data key using CMK. Then the KMS returns a response with Plain Data key and Encrypted Data key (using CMK). Data is encrypted using the Plain Data key, and then the Plain Data key is removed from memory. The Encrypted Data and Encrypted Data Key are packaged together as an envelope and stored. Decryption ProcessFirst, the Encrypted Data key is extracted from the envelope. Then an API request is sent to KMS using Encrypted Data key which has information about CMK to be used in KMS for decryption. The KMS returns a response with the Plain Data Key. Then the Encrypted Data is decrypted using the Plain Data key, and the Plain Data Key is removed from memory. How is Envelope Encryption Different From Other Encryption Patterns? 🤔Every service you build requires encryption at some point. This could be passwords or PII in a database, credentials for an external service, or even files in a filesystem. Configuration FilesYou can easily handle some of these situations with a configuration file but they pose their own security risks like:
Symmetric EncryptionYou can encrypt data using a symmetric key but they suffer from a major issue which is Key Management. You need to find a way to get the key to the party with whom you are sharing data. But if someone gets their hands on a symmetric key, they can decrypt everything encrypted with that key. Asymmetric EncryptionYou can encrypt data using Asymmetric Encryption which is considered a standard now a days. However, some of its cons are:
Envelope EncryptionSome of the benefits offered by envelope encryption are:
Why Key Management Systems Work Well at ScaleEnvelope Encryption and KMSs working so well at scale because of Performance. Like we mentioned before, Asymmetric Encryptions are typically slow and Symmetric Encryptions are very fast but managing keys can be an issue. So in Envelope Encryption, for a large quantity of data, you quickly encrypt it using symmetric encryption with a random key. Then just the key is encrypted using asymmetric encryption. This gives the benefits of asymmetric encryption, with the performance of symmetric encryption. Key Management Systems like AWS KMS, Azure Key Vault, and Google Cloud Key Management Service gives you a fully managed service to store and manage encryption keys. These use envelope encryption internally, and they’re used by default in a lot of services that support encryption in cloud infrastructure providers like AWS, GCP, Azure, and others. An ideal key management system should be highly available, it should control access to the master key(s), it should audit the key(s) usage, and finally, it should manage key(s) lifecycle. Thus by having the above characteristics and by using envelope encryption internally, Key Management Systems are ideal to handle encryption at scale. SummaryEnvelope Encryption is one of the most trusted application security design patterns used at scale. It is the default encryption method used in services like AWS S3, GCP, and others. Hopefully, this helps you understand how you can encrypt/decrypt a large amount of data using the envelope encryption method at scale in a more trusted setup. Thanks for reading! I really hope that you find this article useful. I'm always interested to know your thoughts and am happy to answer any questions you might have. If you think this post was useful, please share it so others can read it, too. P.S. – Do feel free to connect with me on LinkedIn or Twitter. ResourcesThis article leans heavily on the following material:
Learn to code for free. freeCodeCamp's open source curriculum has helped more than 40,000 people get jobs as developers. Get started Which encryption method is most suitable for quickly encryption large amount of data?Symmetric encryption is one such technique that can help you encrypt data faster while providing substantial security. Organizations generally use encryption software to safeguard their data in use, transit, or at rest. These software work with both symmetric and asymmetric encryption depending on use cases and need.
Which encryption method is more suitable for quickly encrypting large amounts of data o Assymmetric key encryption o symmetric key encryption?First, we have speed, where symmetric cryptography has an enormous advantage over asymmetric cryptography. Symmetric cryptography is faster to run (in terms of both encryption and decryption) because the keys used are much shorter than they are in asymmetric cryptography.
What is the most sensible encryption method for data at rest?The encryption of data at rest should only include strong encryption methods such as AES or RSA. Encrypted data should remain encrypted when access controls such as usernames and password fail. Increasing encryption on multiple levels is recommended.
What is the best encryption method for securing personal files?AES. The Advanced Encryption Standard (AES) is the algorithm trusted as the standard by the U.S. Government and numerous organizations. Although it is highly efficient in 128-bit form, AES also uses keys of 192 and 256 bits for heavy-duty encryption purposes.
|