Security

Envelope encryption

An encryption scheme where each row has its own data key, and that data key is wrapped by a master key.

also known as: DEK + KEK

In depth

Envelope encryption is the standard pattern for storing many secrets without ever decrypting them en masse. Each credential row carries a per-row data encryption key (DEK), the DEK is encrypted with a master key (KEK) held by your KMS. To use a credential, the runtime asks the KMS to unwrap the DEK, then uses the DEK to decrypt the secret. The KEK never leaves the KMS, the DEKs never live unencrypted on disk.

Related concepts

Credential vaultAn encrypted store for API keys, tokens, and connection strings, referenced from YAML by name.KMSA managed service that holds master keys and performs cryptographic operations, never exposing the keys.

Newsletter

Get the next post in your inbox.

Engineering notes from the Digitorn team. No marketing, no launch announcements, no "10 prompts that will change your life". Just the things we write that we'd want to read.

More in Security

Credential vault/glossary/credential-vault KMS/glossary/kms OAuth flow/glossary/oauth-flow Per-user scope/glossary/per-user-scope