Encryption of data can be defined as converting data known as plaintext into code, often known as ciphertext that is unreadable by anyone except the intended audience. Data encryption is the most popular way of adding another layer of security for preventing unauthorized access and use of data. Encryption is a two-step process: in the first step, data is encrypted using a combination of an encryption key and an encryption algorithm, in the second step, data is decrypted using a combination of a decryption key and a decryption algorithm to view data in its original form.
The following three components are required for encryption. These three components work hand in hand for securing your data.
There are two types of encryption available, symmetric and asymmetric. Asymmetric encryption is also known as public key encryption. Symmetric encryption uses the same secret key to perform both the encryption and decryption processes. On the other hand, asymmetric encryption uses two keys, a public key for encryption and a corresponding private key for decryption, making this option more secure and at the same time more difficult to maintain as you would need to manage two separate keys for encryption and decryption.
For encrypting data in AWS, the plaintext data key is used to convert plaintext data into ciphertext using the encryption algorithm. The following figure shows a typical workflow of the data encryption process in AWS:
Decryption converts the encrypted data (ciphertext) into plaintext, essentially reversing the encryption process. For decrypting data in AWS, ciphertext uses the plaintext data key for converting ciphertext into plaintext by applying the decryption algorithm. The following figure shows the AWS decryption workflow for converting ciphertext into plaintext:
AWS uses envelope encryption, a process to encrypt data directly. This process provides a balance between the process and security for encrypting your data. This process has the following steps for encrypting and storing your data:
Note that the key-encrypting key also known as master key is stored and managed separately from the data and the data key itself. When decrypted data is required to be converted to plaintext data, the preceding mentioned process is reversed.
The following figure depicts the end-to-end workflow for the envelope encryption process; the master key in the following figure is the key-encrypting key:
3.147.59.198