You are using AWS Envelope Encryption to encrypt all of your sensitive data.
Which of the following is true with regards to the AWS Envelope Encryption service?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - D.
With Envelope Encryption, unencrypted data is encrypted using a plaintext Data key.
This Data key is further encrypted using a plaintext Master key.
This plaintext Master key is securely stored in AWS KMS& known as Customer Master Keys.
Option A is incorrect as the Data Key used for encryption of data is plaintext along with the Master key used to encrypt Data Keys.
Option B is incorrect as the Master key used to encrypt Data Keys is in plaintext format.
Option C is incorrect as the Data Key used for encryption of data is in plaintext format.
For more information on AWS KMS Envelope Encryption, refer to the following URL-
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.htmlSure, I'd be happy to provide you with a detailed explanation of AWS Envelope Encryption.
AWS Envelope Encryption is a security mechanism that allows you to encrypt sensitive data using a combination of symmetric and asymmetric encryption techniques. It works by generating a unique Data Key for each piece of data that needs to be encrypted. The Data Key is then used to encrypt the data, and the encrypted Data Key is stored alongside the data. This is known as "envelope encryption" because the data is wrapped in an envelope of encryption keys.
The Data Key is itself encrypted using a Master Key. This Master Key can be stored and managed securely using AWS Key Management Service (KMS), which is a fully managed service that makes it easy to create and control encryption keys.
Now, let's take a look at the options provided in the exam question:
A. First, the data is encrypted using an encrypted Data Key. The encrypted Data Key is then further encrypted using an encrypted Master Key.
This option is correct. Envelope Encryption works by first encrypting the Data Key using an encrypted Master Key. The encrypted Data Key is then used to encrypt the sensitive data. This provides an additional layer of security, as an attacker would need both the Master Key and the Data Key to decrypt the sensitive data.
B. First, the data is encrypted using a plaintext Data Key. The Data Key is then further encrypted using an encrypted Master Key.
This option is incorrect. The Data Key should never be stored or transmitted in plaintext, as it would compromise the security of the entire system. Therefore, this option is not a valid option for AWS Envelope Encryption.
C. First, the data is encrypted using an encrypted Data Key. The encrypted Data Key is then further encrypted using a plaintext Master Key.
This option is incorrect. The Master Key should always be encrypted, whether it is stored or transmitted. Therefore, this option is not a valid option for AWS Envelope Encryption.
D. First, the data is encrypted using a plaintext Data Key. The Data Key is then further encrypted using a plaintext Master Key.
This option is incorrect. Both the Data Key and the Master Key should be encrypted, whether they are stored or transmitted. Therefore, this option is not a valid option for AWS Envelope Encryption.
To summarize, the correct answer is A, which states that the data is first encrypted using an encrypted Data Key, which is then further encrypted using an encrypted Master Key.