Fundamentals
Fundamentals
    Search icon (depiction of a magnifying glass)
    Set theme to dark (⇧+D)

    Envelope Encryption

    If one Encryption Key is used to Encrypt and Decrypt data, if that Key ever gets compromised all data that was Encrypted with it gets compromised.

    For data transports this generally isn’t as big of a problem, because once the data has been transported, the transport is gone and there is nothing left to Decrypt. To further reduce the Risk, PFS is typically applied.

    But for storing Encrypted data the problem is huge, because the Encrypted data is there to stay. So what one would want is something similar to PFS, but then for data that stored instead of transported. That is where Envelope Encryption comes in.

    With Envelope Encryption the Encryption Key is regularly rotated. Every time a new Encryption Key is generated, it is added to the Key Ring.

    Now, when data must be Encrypted, it is Encrypted with the most recent Encryption Key (or a new one); instead of just storing the Encrypted data, an Encryption Envelope is stored that contains both the Encrypted data and a reference to the Encryption Key that is stored in the Key Ring.

    If data must be Decrypted, the Decryption Key is retrieved from the Key Ring using the reference in the Encryption Envelope, which is then used to Decrypt the data.