Master key management vocabulary: key rotation, key wrapping, HSM, KMS, master keys, data encryption keys (DEK), and AWS KMS usage.
0 / 5 completed
1 / 5
What is 'key rotation' and why is it a security best practice?
Key rotation limits the blast radius of a key compromise: if a key is stolen, only data encrypted under that key (within its active period) is at risk. Automated rotation (e.g. every 90 days in AWS KMS) is a standard security control.
2 / 5
What is 'key wrapping'?
Key wrapping uses a master key or KEK to encrypt (wrap) a DEK for storage or transmission. Only someone with the master key can unwrap the DEK. This is the core of envelope encryption used by AWS KMS, GCP KMS, and Azure Key Vault.
3 / 5
What is an HSM (Hardware Security Module)?
An HSM is a physical device hardened against tampering and key extraction. It generates keys internally, performs cryptographic operations inside the device, and is certified to FIPS 140-2 Level 3 or higher — the gold standard for key protection.
4 / 5
A team says 'we store our encryption keys in AWS KMS'. What does this mean in practice?
AWS KMS stores master keys in FIPS-validated HSMs. Applications call the KMS API to encrypt/decrypt data — the plaintext key never leaves KMS. KMS integrates with CloudTrail for full audit logging of every key usage event.
5 / 5
What is the difference between a 'master key' and a 'data encryption key (DEK)' in envelope encryption?
Envelope encryption separates concerns: DEKs are generated per-resource and used to encrypt data (fast, local). DEKs are then wrapped by the master key (CMK) for storage. Only the CMK needs to be tightly controlled in the KMS — DEKs can be stored alongside the encrypted data.