creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
ccce7d4e068efecc2f98c385c8e5c01d969fc9bc
Anthropic-Cybersecurity-Skills/skills/implementing-envelope-encryption-with-aws-kms/references/workflows.md
T

1.5 KiB
Raw Blame History

Workflows - Envelope Encryption with AWS KMS

Workflow 1: Encrypt Data with Envelope Encryption

[Application]
      |
[Call KMS GenerateDataKey]
(KeyId=CMK ARN, KeySpec=AES_256)
      |
[KMS Returns]:
  - Plaintext DEK (32 bytes)
  - Encrypted DEK (ciphertext blob)
      |
[Encrypt Data Locally]
(AES-256-GCM with plaintext DEK)
      |
[Store]:
  - Encrypted DEK (ciphertext blob)
  - Encrypted data (nonce + ciphertext + tag)
  - Encryption context metadata
      |
[Wipe Plaintext DEK from Memory]

Workflow 2: Decrypt Data

[Read Stored Data]
  - Encrypted DEK
  - Encrypted data
  - Encryption context
      |
[Call KMS Decrypt]
(CiphertextBlob=Encrypted DEK, EncryptionContext)
      |
[KMS Returns Plaintext DEK]
      |
[Decrypt Data Locally]
(AES-256-GCM with plaintext DEK)
      |
[Return Plaintext Data]
      |
[Wipe Plaintext DEK from Memory]

Workflow 3: Key Rotation

[Enable Automatic Key Rotation on CMK]
(KMS rotates backing key annually)
      |
[New GenerateDataKey calls use new backing key]
      |
[Old encrypted DEKs still decrypt]
(KMS tracks all backing key versions)
      |
[Optional: Re-encrypt old DEKs]
[Call KMS ReEncrypt to update DEK encryption]

Workflow 4: Multi-Region Encryption

[Primary Region (us-east-1)]
  |
  [Create Multi-Region CMK]
  [Replicate to us-west-2, eu-west-1]
  |
  [Encrypt with Regional Endpoint]
  |
[Secondary Region (us-west-2)]
  |
  [Same Key ID works for Decrypt]
  [No cross-region API calls needed]
Reference in New Issue View Git Blame Copy Permalink