Envelope Encryption
v1.0.0Encrypt data with a random DEK, then wrap the DEK with a KEK — the industry-standard pattern used by AWS KMS, GCP CMEK, and Azure Key Vault.
Generate random DEK → Encrypt data with DEK (AES-256-GCM) → Wrap DEK with KEK → Output wrapped DEK + ciphertext + IV
Key Encryption Key (KEK)
Encrypt data with random DEK, then wrap DEK with KEK
Plaintext