Envelope Encryption
Envelope Encryption is something I think is important when developing an application that saves user data. The user is trusting you with their data and you shouldn't take that responsibility lightly. Running a database server on a VM with an encrypted disk isn't enough.
The idea is pretty simple. You generate a Data Encryption Key (DEK) and use it to encrypt the user's data. Then you encrypt the DEK with a Key Encryption Key (KEK) that lives in a KMS, like GCP KMS or AWS KMS. The KEK never leaves the KMS. You store the encrypted DEK alongside the data, and when you need to decrypt, you ask the KMS to decrypt the DEK, then use the DEK to decrypt the data.
There are a few things to think about:
- Key Rotation
- Re-encrypting
- Cost
Key rotation is one of the nice things you get out of this. The KEK can rotate without you having to re-encrypt all of your user data. You only have to re-encrypt the DEKs, which is a much smaller dataset. KMS providers handle versioning the KEK for you, so old data can still be decrypted with previous versions.
Re-encrypting the actual user data is a bigger ordeal. If you want to rotate the DEK, you have to decrypt the data with the old DEK and re-encrypt it with the new one. For a row in a database, that's not too bad. For terabytes of blobs in a bucket, it's a project. Plan for it.
Cost is the one that catches people off guard. On GCP, key operations are $0.03 per 10,000. A software-backed key is $0.06 per month, and a hardware-backed (HSM) key is $1.00 per month. It doesn't sound like much, but if your app is doing a million decrypts a day, that's $3 a day just on operations. Add a key per tenant, and the bill scales up quickly. Cache the decrypted DEK in memory when you can, and don't go to the KMS for every read.
In conclusion, envelope encryption is a good way to protect your user's data without painting yourself into a corner when you need to rotate keys. Take the responsibility seriously, plan for re-encryption, and keep an eye on the bill.
Questions? Comments? Concerns? Send me an email.