-
Envelope Encryption – Ambiguous answer
updated 4 months, 4 weeks ago
2 Members
·
2
Posts
-
A company is developing an online customer portal in AWS. There is a requirement to create and control the encryption keys used to encrypt your data using the envelope encryption strategy to comply with the strict IT security policy of the company.
Which of the following statements correctly describes the envelope encryption process?
I believe the highlighted answer in the attached screenshot is ambiguous and not accurate as
” top-level master key is never exposed as plaintext; only the data key is used as plaintext during data encryption, and its encrypted form is stored alongside the ciphertext for secure key management and retrieval.”
or in simple words
“It is a process where you encrypt plaintext data with a data key, and then encrypt that data key with a top-level key encryption key (KEK).”
please clarify!!
Thanks
-
Hi Ocean,
Thank you for your feedback. You are correct that the description could be clearer. In envelope encryption, the data key is used to encrypt plaintext data, and then the data key itself is encrypted using a top-level Key Encryption Key (KEK). The KEK is never exposed as plaintext, ensuring secure key management and retrieval. We will update the relevant information to reflect this clarification and ensure it aligns with the accurate process.
Thank you for bringing this to our attention!
If you have further questions or need additional clarification, please don’t hesitate to contact us.
Best,
Irene @ Tutorials Dojo
Log in to reply.