0Pricing
AWS Security Academy · Lesson

Envelope Encryption and Data Keys

See how KMS protects a data key that encrypts your real data.

The Large Data Problem

KMS can encrypt only small payloads (about 4 KB) directly. Real data, files, volumes, and databases, is far larger.

Envelope encryption solves this: you encrypt your big data with a data key, then encrypt that data key with a KMS key. This is how AWS encrypts everything at scale.

What a Data Key Is

A data key is a normal encryption key (like AES-256) generated by KMS for encrypting your actual data.

  • Unlike KMS keys, the data key's plaintext leaves KMS briefly so you can use it.
  • KMS also returns an encrypted copy of the data key.

All lessons in this course

  1. What KMS Keys Are and Do
  2. Symmetric, Asymmetric, and Multi-Region Keys
  3. Key Policies, Grants, and Conditions
  4. Envelope Encryption and Data Keys
← Back to AWS Security Academy