yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
0b3a43371a4bcc99577594de0a685249d676a567
doc-exports/docs/kms/umn/dew_01_0054.html
qinweiwei 3e4721c813 KMS UMN 20251111 version 
Reviewed-by: Rogal, Marcel <mrogal@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: qinweiwei <qinweiwei@huawei.com>
Co-committed-by: qinweiwei <qinweiwei@huawei.com>
2026-01-19 09:05:54 +00:00

24 lines
2.9 KiB
HTML
Raw Blame History

<a name="dew_01_0054"></a><a name="dew_01_0054"></a>
<h1 class="topictitle1">What Are the Benefits of Envelope Encryption?</h1>
<div id="body1508302911825"><p id="dew_01_0054__p636231572315">Envelope encryption is the practice of encrypting data with a DEK and then encrypting the DEK with a root key that you can fully manage. In this case, CMKs are not required for encryption or decryption.</p>
<p id="dew_01_0054__p55067918252">Benefits:</p>
<ul id="dew_01_0054__ul1012722115254"><li id="dew_01_0054__li41556328254">Advantages over CMK encryption in KMS<p id="dew_01_0054__p45141745104214"><a name="dew_01_0054__li41556328254"></a><a name="li41556328254"></a>Users can use CMKs to encrypt and decrypt data on the KMS console or by calling KMS APIs.</p>
<p id="dew_01_0054__p8134841102518">A CMK can encrypt and decrypt data no more than 4 KB. An envelope can encrypt and decrypt larger volumes of data.</p>
<p id="dew_01_0054__p141341741202516">Data encrypted using envelopes does not need to be transferred. Only the DEKs need to be transferred to the KMS server.</p>
</li><li id="dew_01_0054__li7912184511252">Advantages over encryption by using cloud services<ul id="dew_01_0054__ul11965201322615"><li id="dew_01_0054__li1396561372611">Security<p id="dew_01_0054__p139651713172617"><a name="dew_01_0054__li1396561372611"></a><a name="li1396561372611"></a>Data transferred to the cloud for encryption is exposed to risks such as interception and phishing.</p>
<p id="dew_01_0054__p10166195318269">During envelope encryption, KMS uses Hardware Security Modules (HSMs) to protect keys. All CMKs are protected by root keys in HSMs to avoid key leakage.</p>
</li><li id="dew_01_0054__li4965213132610">Trustworthiness<p id="dew_01_0054__p117009372817"><a name="dew_01_0054__li4965213132610"></a><a name="li4965213132610"></a>You will worry about data security on the cloud. It is also difficult for cloud services to prove that they never misuse or disclose such data.</p>
<p id="dew_01_0054__p1054826152813">If you choose envelope encryption, KMS will control access to keys and record all usages of and operations on keys with traceable logs, meeting your audit and regulatory compliance requirements.</p>
</li><li id="dew_01_0054__li396514138265">Performance and cost<p id="dew_01_0054__p199651713152614"><a name="dew_01_0054__li396514138265"></a><a name="li396514138265"></a>To encrypt or decrypt data using a cloud service, you have to send the data to the encryption server and receive the processed data. This process seriously affects your service performance and incurs high costs.</p>
<p id="dew_01_0054__p28241193288">Envelope encryption allows you to generate DEKs online by calling KMS cryptographic algorithm APIs, and to encrypt a large amount of local data with the DEKs.</p>
</li></ul>
</li></ul>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0092.html">FAQs</a></div>
</div>
</div>
View Git Blame Copy Permalink