`~`

KEK DEK

KEK is Key Encryption Key. DEK is Data Encryption Key.

Use KEK DEK for database encryption at rest.

KEK is saved in key vault. DEK is random for each record.

sequenceDiagram
    participant client
    participant service
    participant key_vault
    participant database

    service ->> service: init
    service ->> key_vault: get KEK_v1, KEK_v2, ...

    client ->> service: submit data
    service ->> service: random DEK
    service ->> service: encrypt data using DEK
    service ->> service: encrypt DEK using latest KEK
    service ->> database: save encrypted data, encrypted DEK, KEK version

    client ->> service: get data
    service ->> database: get encrypted data, encrypted DEK, KEK version
    service ->> service: decrypt DEK using saved KEK version
    service ->> service: decrypt data using DEK

When rotate key:

Create new KEK
New record will use new KEK
Old record can decrypt using old KEK

Migrate old data:

Encrypted data is untouched
Query all encrypted DEK with old KEK version, then update with latest KEK

Source code is available on GitHub