-
Notifications
You must be signed in to change notification settings - Fork 1.2k
KMS Envelope encryption formats #509
Comments
Unfortunately, neither ways are envelope encryption. I have a pending PR to clarify the documentation. 1/ In envelop encryption, you generate a unique key for each message you encrypt. The unique key will be encrypted and appended to each ciphertext. If this is your intention, check out this snippet:
2/ In both A & B, however, you're generating an encrypted keyset that you will use to encrypt multiple messages. This means the encrypted keyset needs to be saved separately. If this is your intention, A is the correct solution. |
thanks for the explanation. I didn't realize the ciphertext already had the key added into it in the example you just cited (which is nice but also incurs kms-operations per object (+some latency) I guess i can use |
We're going to cache the DEK and reuse it for multiple messages. it'd look a lot like solution
Yeah this should work. Please reopen if you have any further question. |
This is really a question on the correct usage of KMS envelope encryption.
I'm trying to find out the correct way to wrap an a key w/ KMS....From what i can tell, both
A
andB
below creates anEncrytedKeySet
which is backed by a KMS KEK.B
is what is whats documented here ...so i'm trying to understand whereA
fits in...what it is doing is writing a plain `AES256GCMKeyTemplate....is
A
and B doing the pretty much the same here or did i miss a subtle and very important distinction on best use?A
B
The text was updated successfully, but these errors were encountered: