~

KEK DEK

KEK is Key Encryption Key. DEK is Data Encryption Key.

Use KEK DEK for database encryption at rest.

sequenceDiagram
    participant client
    participant service
    participant key_vault
    participant database

    service ->> service: init
    service ->> key_vault: get KEK_v1, KEK_v2, ...

    client ->> service: submit data
    service ->> service: random DEK
    service ->> service: encrypt data using DEK
    service ->> service: encrypt DEK using latest KEK
    service ->> database: save encrypted data, encrypted DEK, KEK version

    client ->> service: get data
    service ->> database: get encrypted data, encrypted DEK, KEK version
    service ->> service: decrypt DEK using saved KEK version
    service ->> service: decrypt data using DEK

When rotate KEK:

Limitation:

Query encrypted field

To query encrypted field, we need hash:

sequenceDiagram
    participant client
    participant service
    participant key_vault
    participant database

    service ->> service: init
    service ->> key_vault: get HASH_KEY_v1, HASH_KEY_v2, ...

    client ->> service: submit data
    service ->> service: hash data using latest HASH_KEY
    service ->> database: save hash data, HASH_KEY version

    client ->> service: query data
    service ->> service: hash data using all HASH_KEY
    service ->> database: query using all HASH_KEY version and hashed data

When rotate HASH_KEY:

References


Source code is available on GitHub