Which statement describes key management service (KMS) and envelope encryption?

• A. KMS stores data objects in a separate storage service.
• B. Envelope encryption uses a master key to encrypt the data key, which then decrypts data.
• C. Envelope encryption is unrelated to KMS.
• D. KMS manages cryptographic keys; envelope encryption uses a data key to encrypt data, with a master key protecting the data keys.

Answer: (D)

Key management services provide a secure way to create, store, rotate, and access cryptographic keys without exposing them to applications. Envelope encryption pairs with this by using a unique data key to encrypt the actual data. That data key itself is protected by a master key held in the key management service. In practice, you generate a data key to encrypt your data, then encrypt that data key with the master key and store the encrypted data key alongside the ciphertext. When decrypting, you first decrypt the data key with the master key, then use that data key to decrypt the data. This approach enhances security and performance, since the master key never directly decrypts the data and data keys can be short-lived and rotated.

The other statements miss how envelope encryption works or mix up the roles: one describes KMS as storage for objects, which is not its purpose; another wrongly states that the master key encrypts the data key which then decrypts the data—actually the data key encrypts the data, and the master key decrypts the data key to allow decrypting the data.