When to use envelope encryption and when not?
Laycee last edited by
in our SaaS application we store different integration tokens from apps like Trello, Pivotal, Intercom etc, based on Oauth tokens, which we want to additionally (on top of the default database encryption at rest) symmetrically encrypt and decrypt using best practices. Given the criticality of the tokens (not cardholder data), but still very sensitive authentication tokens, which one of the following approaches would you recommend ?
- Using Encryption as a Service mechanism, which will simply encrypt and decrypt every single payload using a single API call (e.g. Hashicorp Vault, Transit engine), where each customer/space will have it's own master key.
- Using Envelope encryption, where DEK will be stored next to the data in the main database and the KEK will be stored in some KMS (e.g. Vault K/V mode), where each customer/space will have it's own master key and each row (data record/object) will have it's own data encryption key.
The difference between both approaches is that the first one does not include usage of Data Encryption keys and "two way encryption".
In general, the enveloped encryption is more flexible with only a small bandwidth overhead, so there's no reason not to do it?
You get flexibility in the sense that:
- If you happen to need to add a second decryption service, then you can simply re-encrypt the DEK for that decryption service rather than needing to re-encrypt the (presumably much larger) data payloads. For example you might in the future want a disaster recovery site with different encryption keys from the primary site.
- If your organization has a key rotation policy (ex.: all encryption-at-rest keys must be rotated every year), then it's generally easier to implement this as enveloped data where you need to re-encrypt the DEKs for a new KEK, as opposed to needing to find and re-encrypt all the data.
- A special case of this is if your decryption service gets hacked and you have to roll over your master encryption key in an emergency situation.
Implementing this fully involves more than just the encryption format since you need to worry about where you're storing the DEKs and have a procedure for pulling them down and re-encrypting them. But the point is that choosing enveloped data now gives you all sorts of options down the line that you wouldn't have otherwise.