Now we have an understanding of CMKs, I want to talk about data keys. Data keys are created by CMKs. However, they do not reside inside the KMS service as CMKs do; instead, these are used outside of KMS to perform encryption against your data.
When a request to generate a data key is received by KMS, the associated CMK in the request will create the two data encryption keys (DEKs); one will be a plaintext key, and the other will be an identical key, but this will be encrypted:
The process of using one key to encrypt another key like this is known as envelope encryption.
During the encryption process, the plaintext data key will be used to perform the encryption of your data using an encryption algorithm. Once the encryption has taken place, this plaintext data key will then be deleted and the encrypted data key will be stored and associated with the encrypted data.
At this point, your data is now encrypted, and the only way to access...