Austin's SWE Notes 😭

    Envelope Encryption

    • For Symmetric Key
    • Use GeneratDataKey API to encrypt data that > 4KB.

    Encryption

    • How it works? Don't need to know for the exam but good to know Pasted image 20221019215235.png
      • When calling GenerateDataKey API, AWS send back:
        • plaintext data key
        • encrypted data key using CMK
      • We then use client side encryption with both these information to encrypt our file

    Decryption

    • We send envelop file for AWS to send back a plain text data key. And then we can use it to decrypt big file Pasted image 20221019215540.png

    • For these, we can use AWS Encryption SDK which will do the hard work for us.

      • Feature: Data Key Caching ^98d8e4
        • Cache the data key or reusing instead of creating a new one
        • Help reducing the number of calls to KMS with a security trade-off
        • Use LocalCryptoMaterialsCache (max age, max bytes, max number of messages)
    ← AWS SSM Parameters Policies
    SSM Parameter Store Vs Secret Manager →