~

KEK is Key Encryption Key. DEK is Data Encryption Key.

Use KEK DEK for database encryption at rest.

• KEK is saved in key vault
• DEK is random for each record
• Do not save DEK directly in database, use KEK to encrypt DEK, then save encrypted DEK instead

sequenceDiagram
    participant client
    participant service
    participant key_vault
    participant database

    service ->> service: init
    service ->> key_vault: get KEK_v1, KEK_v2, ...

    client ->> service: submit data
    service ->> service: random DEK
    service ->> service: encrypt data using DEK
    service ->> service: encrypt DEK using latest KEK
    service ->> database: save encrypted data, encrypted DEK, KEK version

    client ->> service: get data
    service ->> database: get encrypted data, encrypted DEK, KEK version
    service ->> service: decrypt DEK using saved KEK version
    service ->> service: decrypt data using DEK

When rotate key:

• Create new KEK
• New record will use new KEK
• Old record can decrypt using old KEK

Migrate old data:

• Encrypted data is untouched
• Query all encrypted DEK with old KEK version, then update only new encrypted DEK and new KEK version

• AWS Encryption context: Add additional authenticated data (AAD) into encryption and decryption process in application level.