cloud-security

Envelope Encryption

Definition

Envelope encryption is a key management pattern where a data encryption key (DEK) encrypts the actual data, and a separate key encryption key (KEK) — stored in a KMS — encrypts the DEK. Only the encrypted DEK is stored with the data; the KEK never leaves the KMS.

This pattern allows efficient re-keying (only the DEK needs re-encryption), supports large datasets, and keeps master keys isolated in hardware-protected KMS systems.

Related Terms

Cloud KMS

Cloud Key Management Service

Customer-Managed Keys

Customer-Managed Encryption Keys (CMEK)

Cloud HSM

Cloud Hardware Security Module

← Back to Glossary

Ship secure code faster

Crash Override integrates security into the developer workflow. No context switching, no waiting on reviews.

Talk to a Human See the Product