Encryption of data can be defined as converting data known as plaintext into code, often known as ciphertext that is unreadable by anyone except the intended audience. Data encryption is the most popular way of adding another layer of security for preventing unauthorized access and use of data. Encryption is a two-step process: in the first step, data is encrypted using a combination of an encryption key and an encryption algorithm, in the second step, data is decrypted using a combination of a decryption key and a decryption algorithm to view data in its original form.
The following three components are required for encryption. These three components work hand in hand for securing your data.
- Data to be encrypted
- Algorithm for encryption
- Encryption keys to be used alongside the data and the algorithm
There are two types of encryption available, symmetric and asymmetric. Asymmetric encryption is also known as public key encryption. Symmetric encryption uses the same secret key to perform both the encryption and decryption processes. On the other hand, asymmetric encryption uses two keys, a public key for encryption and a corresponding private key for decryption, making this option more secure and at the same time more difficult to maintain as you would need to manage two separate keys for encryption and decryption.
For encrypting data in AWS, the plaintext data key is used to convert plaintext data into ciphertext using the encryption algorithm. The following figure shows a typical workflow of the data encryption process in AWS:
Figure 1: AWS encryption workflow
Decryption converts the encrypted data (ciphertext) into plaintext, essentially reversing the encryption process. For decrypting data in AWS, ciphertext uses the plaintext data key for converting ciphertext into plaintext by applying the decryption algorithm. The following figure shows the AWS decryption workflow for converting ciphertext into plaintext:
Figure 2: AWS decryption workflow
AWS uses envelope encryption, a process to encrypt data directly. This process provides a balance between the process and security for encrypting your data. This process has the following steps for encrypting and storing your data:
- The AWS service being used for encryption will generate a data key when a user requests data to be encrypted.
- This data key is used to encrypt data along with the encryption algorithm.
- Once the data is encrypted, the data key is encrypted as well by using the key-encrypting key that is unique to the AWS service used to store your data such, as AWS S3.
- This encrypted data and encrypted data key are stored in the AWS storage service.
Note that the key-encrypting key also known as master key is stored and managed separately from the data and the data key itself. When decrypted data is required to be converted to plaintext data, the preceding mentioned process is reversed.
The following figure depicts the end-to-end workflow for the envelope encryption process; the master key in the following figure is the key-encrypting key:
Figure 3: AWS envelope encryption