Envelope Encryption is something I think is important when developing an application that saves user data. The user is trusting you with their data and you shouldn't take that responsibility lightly. Running a database server on a VM with an encrypted disk isn't enough. The idea is pretty simple. You generate a Data Encryption Key (DEK) and use it to encrypt the user's data. Then you encrypt the DEK with a Key Encryption Key (KEK) that lives in a KMS, like GCP KMS or AWS KMS. The KEK never leaves the KMS. You store the encrypted DEK alongside the data, and when you need to decrypt, you ask the KMS to decrypt the DEK, then use the DEK to decrypt the data. There are a few things to think about: Key Rotation Re-encrypting Cost Key rotation is one of the nice things you get out of this. The KEK can rotate without you having to re-encrypt all of your user data. You only have to re-encrypt the DEKs, which is a much smaller dataset. KMS providers handle versioning the KEK for you, so old…
No comments yet. Log in to reply on the Fediverse. Comments will appear here.