AWSGlossary

KMS Envelope Encryption: What It Is and When to Use It

Definition

AWS Key Management Service (AWS KMS) Envelope Encryption is a security practice where data is encrypted using a unique Data Encryption Key (DEK), and that DEK is itself encrypted by a highly secure, access-controlled KMS key that never leaves AWS's FIPS 140-2 validated Hardware Security Modules (HSMs). [17, 29] This two-tiered approach solves the problem of efficiently encrypting large amounts of data while maintaining strict control, auditability, and centralized management of the primary encryption keys. [11, 25]

How It Works

Envelope encryption separates the key used to encrypt data (the DEK) from the key used to protect the DEK (the KMS key, formerly called a Customer Master Key or CMK). [7, 24] This allows developers to encrypt data at scale within their applications without exposing the highly sensitive root key.

The Encryption Process:

  1. Request a Data Key: Your application, or an AWS service acting on your behalf, calls the AWS KMS GenerateDataKey API operation, specifying which KMS key to use.
  2. Receive Two Keys: AWS KMS generates a unique Data Encryption Key (DEK) inside its HSM. It returns two versions of this DEK to your application: a Plaintext version and a CiphertextBlob (the DEK encrypted by the specified KMS key). [29]
  3. Encrypt Data: The application uses the Plaintext DEK to encrypt your data locally using a standard encryption algorithm like AES-256.
  4. Discard Plaintext Key: Immediately after encryption, the application must securely discard and erase the Plaintext DEK from memory.
  5. Store Encrypted Data: The encrypted data (ciphertext) and the CiphertextBlob (the encrypted DEK) are stored together, often in Amazon S3, Amazon DynamoDB, or another storage layer.

The Decryption Process:

  1. Retrieve Encrypted Data: Your application retrieves the encrypted data and the associated CiphertextBlob.
  2. Request Decryption of Data Key: The application sends only the CiphertextBlob to the AWS KMS Decrypt API.
  3. Receive Plaintext Data Key: AWS KMS uses the appropriate KMS key within the HSM to decrypt the CiphertextBlob, returning the original Plaintext DEK to your application.
  4. Decrypt Data: The application uses the Plaintext DEK to decrypt the ciphertext locally, restoring the original data.
  5. Discard Plaintext Key: As before, the application must immediately discard the Plaintext DEK from memory.

The critical security guarantee is that the KMS key itself never leaves the AWS KMS HSMs. [17] All cryptographic operations involving the KMS key happen within that secure boundary. All API calls to AWS KMS are logged in AWS CloudTrail, providing a full audit trail of who used which key, on what resource, and when.

Key Features and Limits

  • Key Types: AWS KMS offers three types of keys: [7, 22]
    • Customer Managed Keys: You create, own, and manage these keys, giving you full control over key policies, rotation schedules, and IAM permissions. They are required for cross-account access and custom key material. [5, 30]
    • AWS Managed Keys: These are created in your account by AWS services (e.g., aws/s3, aws/ebs). You can view them, but AWS manages their policies and rotation (every year). [19]
    • AWS Owned Keys: These are owned and managed by an AWS service in a separate service account and are not visible to you. They are used for default, transparent encryption in many services. [5, 22]
  • Security and Compliance: The underlying HSMs are validated under FIPS 140-2 (with some achieving FIPS 140-3 Level 3), helping meet compliance requirements for standards like PCI DSS and HIPAA. [17]
  • Centralized Management: Provides a single pane of glass for defining access policies, managing key lifecycle (creation, rotation, deletion), and auditing key usage across all integrated AWS services.
  • Automatic Key Rotation: Customer managed keys can be configured to automatically rotate their backing key material once per year, without changing the key's ID or ARN, simplifying security best practices.
  • Service Quotas (as of 2026): Request quotas vary by operation type and Region. For common symmetric cryptographic operations (Encrypt, Decrypt, GenerateDataKey), limits can be as high as 10,000 requests per second in major regions like us-east-1, but can be lower in others. [3, 16] These quotas are adjustable via the AWS Service Quotas console. [18]

Common Use Cases

  1. Amazon S3 Server-Side Encryption (SSE-KMS): Encrypting objects at rest in Amazon S3. Using a customer-managed key allows for granular control over which users or roles can access specific objects. [20]
  2. Amazon EBS Volume Encryption: Encrypting the data at rest on block storage volumes for Amazon EC2 instances, ensuring that data on the underlying physical media is unreadable without access to the KMS key.
  3. Database Encryption: Securing data at rest in managed databases like Amazon RDS, Amazon Aurora, and Amazon DynamoDB. KMS encrypts the database's master key, which in turn encrypts the data.
  4. Custom Application-Layer Encryption: Developers can use the AWS Encryption SDK or KMS APIs to directly implement envelope encryption for sensitive data fields or configuration secrets within their own applications before storing them.
  5. Securing Secrets: Services like AWS Secrets Manager and AWS Systems Manager Parameter Store use KMS envelope encryption by default to protect stored credentials, API keys, and other sensitive strings.

Pricing Model

AWS KMS pricing has two primary components for customer-managed keys: [8, 13]

  • Key Storage Fee: Each customer-managed key costs a flat fee per month (e.g., $1/month), prorated hourly. This applies to symmetric, asymmetric, and multi-Region keys (where each replica incurs the fee). [8, 13]
  • API Request Fee: You are charged for API calls. AWS provides a perpetual free tier for a certain number of requests per month (e.g., 20,000). Beyond the free tier, requests are billed per 10,000 requests, with different rates for symmetric vs. more computationally expensive asymmetric operations. [13, 33]

AWS Managed Keys and AWS Owned Keys do not have a monthly storage fee, but you may still incur charges for API requests made by services on your behalf. [13, 32] There is no charge for keys that are scheduled for deletion. [13]

Pros and Cons

Pros:

  • Strong Security: Keys are protected by FIPS 140-2/140-3 validated HSMs and never leave the service unencrypted. [17]
  • Centralized Control & Audit: Simplifies key management and provides detailed audit trails via AWS CloudTrail.
  • Seamless AWS Integration: Natively integrates with dozens of AWS services for easy, out-of-the-box encryption.
  • Managed Service: AWS handles the availability, durability, and security of the underlying hardware and software, reducing operational burden.

Cons:

  • Cost: Customer-managed keys have a monthly fee, and high API usage can lead to significant costs if not managed (e.g., by using S3 Bucket Keys to reduce calls). [8]
  • Throttling: Applications with very high request rates can exceed service quotas, leading to ThrottlingException errors if not designed with backoff-and-retry logic. [18]
  • No Key Export: By design, key material generated within KMS cannot be exported, which can be a consideration for certain data portability or vendor lock-in concerns. [27, 31]
  • Destructive Deletion: Deleting a KMS key is irreversible. If a key is deleted, all data encrypted under it becomes permanently unrecoverable. [6, 9]

Comparison with Alternatives

  • AWS KMS vs. AWS CloudHSM: [4]

    • KMS: A multi-tenant, fully managed service ideal for most workloads. It offers ease of use, seamless service integration, and a pay-as-you-go model. [12, 21]
    • CloudHSM: A single-tenant, dedicated HSM that you control within your VPC. It's more expensive and complex but is necessary for use cases requiring FIPS 140-2 Level 3 validation, direct control over the HSM, or the ability to run custom cryptographic operations and export keys. [10, 14]

  • SSE-KMS vs. SSE-C (in Amazon S3):

    • SSE-KMS: Uses envelope encryption where AWS manages the KMS key and the data key lifecycle. This is the recommended approach for most use cases due to its security, auditability, and ease of management.
    • SSE-C (Server-Side Encryption with Customer-Provided Keys): You are fully responsible for generating, rotating, and securing the encryption key. You provide the key with each S3 request (PUT and GET), and S3 uses it to encrypt/decrypt the object. This gives you more control but shifts the entire burden of key management to you. [31]

Exam Relevance

KMS Envelope Encryption is a foundational security topic and appears frequently on multiple AWS certification exams:

  • AWS Certified Solutions Architect - Associate (SAA-C03): Expect questions on the difference between customer-managed and AWS-managed keys, how KMS integrates with S3 and EBS, and the purpose of key policies.
  • AWS Certified Security - Specialty (SCS-C02): Requires deep knowledge of key policies vs. IAM policies, the envelope encryption workflow, key lifecycle management (rotation, deletion), multi-region keys, and comparing KMS with CloudHSM.
  • AWS Certified Developer - Associate (DVA-C02): Focuses on programmatic use of KMS, such as using the GenerateDataKey and Decrypt APIs in application code.

Examinees must understand the core concept: the KMS key protects the data key, and the data key protects the data.

Frequently Asked Questions

Q: What is the difference between a KMS key and a Data Encryption Key (DEK)?

A: A KMS key is the root key that you create and manage within AWS KMS. It is protected by an HSM and never leaves the service unencrypted. A Data Encryption Key (DEK) is a key that KMS generates and provides to your application (or an AWS service) to perform the actual encryption and decryption of your data. The DEK is, in turn, encrypted by the KMS key for secure storage—this is the core principle of envelope encryption. [29]

Q: Can I export my KMS key from AWS KMS?

A: No, key material that is generated by AWS KMS within its HSMs cannot be exported or viewed in plaintext. [27, 31] This is a fundamental security design principle of the service. If you need to manage your own key material outside of AWS, you can use the "imported key material" feature or opt for AWS CloudHSM, which provides dedicated HSMs under your control. [28]

Q: What happens if I delete a KMS key?

A: Deleting a KMS key is a destructive and irreversible action. [9] Any data that was encrypted with that KMS key will become permanently unrecoverable because there will be no way to decrypt the Data Encryption Keys (DEKs) associated with that data. To prevent accidental data loss, AWS KMS enforces a mandatory waiting period (7 to 30 days) before the key is actually deleted, during which you can cancel the deletion. [1, 15]

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 5/27/2026 / Updated: 5/27/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Security

AWS Firewall Manager: Simplify Security Policy Management

AWS Firewall Manager centrally manages firewall rules and security policies across your AWS Organization. Ensure consistent enforcement and compliance. Learn how it works.

IAM Condition Keys: Fine-Grained Access Control Explained

IAM Condition Keys are key-value pairs in IAM policies for context-aware access control. Learn how they restrict permissions and when to use them.

IAM Policy Evaluation Logic: How It Works & When to Use It

Understand AWS IAM Policy Evaluation Logic: the process for allowing or denying resource access. Learn how it synthesizes policies for authorization decisions. See examples.

Resource-Based vs Identity-Based Policies: How to Use Them

Understand AWS IAM identity-based vs resource-based policies. Learn what they are, how they differ, and when to use each for effective AWS security. See examples.

IAM Permissions Boundary: Control Max Permissions

An IAM Permissions Boundary sets the maximum permissions an IAM policy can grant. Learn how it prevents privilege escalation and when to use it.

View all Security terms →