Envelope Encryption Delivers AES Speed Without Master Key Exposure

Envelope encryption resolves symmetric AES-256's key distribution limits and RSA's performance bottlenecks by layering fast bulk encryption under protected master keys. Generate a plaintext AES-256 DEK via KMS GenerateDataKey API—it returns both the raw DEK (held in memory only) and its encrypted version under the master key. Encrypt your data locally with the plaintext DEK using AES-256, which handles gigabytes per second via CPU-optimized bitwise operations (substitutions, shifts, XORs). Discard the plaintext DEK immediately after; store only the ciphertext and encrypted DEK in your database, like DynamoDB records:

{
  "user_id": "u_12345",
  "encrypted_payload": "<base64-encoded ciphertext>",
  "encrypted_dek": "<base64-encoded KMS-encrypted data key>"
}

For decryption: Fetch the record, call KMS Decrypt on the encrypted DEK to recover the plaintext DEK in memory, decrypt the payload locally with AES-256, then discard the DEK. This keeps KMS calls out of data paths—only one per record lifecycle—while limiting breach impact: a compromised DEK affects only its data, not the master key or other records.

RSA complements for key exchange or small payloads (up to 214 bytes for 2048-bit keys, 4KB via Encrypt API), but avoid it for bulk due to slow modular exponentiation (hundreds of KB/s vs. AES's GB/s). Use RSA public keys for partners to encrypt DEKs securely over email, then decrypt with your private key.

Master Keys Anchor Trust with Hardware Isolation and Controls

KMS master keys (formerly CMKs) reside exclusively in FIPS 140-2 validated HSMs—never exported in plaintext or to application code. Control access via dual IAM policies and key policies, which even block root users if denied. Rotate symmetric keys annually for new material while decrypting old data. Replicate multi-region for DR without changing key IDs.

Master keys enable:

  • GenerateDataKey for DEKs.
  • Decrypt for DEK recovery.
  • Direct Encrypt for <4KB payloads.
  • RSA/ECC signing/verification (2048/3072/4096-bit keys).

Deletion or disablement irrecoverably locks data, enabling instant revocation.

Audit and Compliance Built into Every Operation

CloudTrail logs all API calls (encrypt/decrypt/generate/describe) tamper-resistantly for compliance. Centralized management scales across S3, RDS, EBS, Lambda, DynamoDB, Secrets Manager via IAM/key policies. Hardware-backed ops ensure keys stay plaintext-free outside HSMs, eliminating self-managed HSM pitfalls.