Skip to content

AWS KMS Envelope Encryption Exam Tips

Basically, we encrypt the key that's used to encrypt data (i.e. the Envelope Key or Data Key) using the Customer Master Key (CMK) and the Envelope Key is uses for encryption of data instead of the CMK.

To decrypt data:

  1. Use Master Key to decrypt data key using an encryption algorithm.
  2. Get a plain-text data key
  3. Use plain-text data key to decrypt data.