In the context of Genesys Cloud and AWS encryption key management, DEK (Data Encryption Key) and KEK (Key Encryption Key) are key components of the encryption process, particularly when working with services like AWS Key Management Service (KMS).
Here’s difference between DEK and KEK:
1. DEK (Data Encryption Key):
- DEK is the key actually used to encrypt and decrypt your data.
- In the case of Genesys Cloud, this key would be used to encrypt sensitive customer data, such as recordings or interactions stored in the cloud.
- DEKs are typically ephemeral, meaning they are generated for each individual piece of data (e.g., a file or recording), and are rotated frequently to reduce risk.
2. KEK (Key Encryption Key):
- KEK is a higher-level key used to encrypt the DEKs.
- In AWS KMS, KEKs are managed by KMS and are used to protect the DEKs that encrypt your actual data.
- This ensures that even if DEKs are compromised, they are protected because they are encrypted by a KEK. The KEK itself is stored securely in AWS KMS.
- KEKs provide an additional layer of security and are typically more long-lived than DEKs.
How they work together:
- When a file (e.g., a call recording) is encrypted in Genesys Cloud, a DEK is generated and used to encrypt that specific file.
- The DEK is then encrypted using the KEK, which is managed by AWS KMS.
- The encrypted DEK is stored with the file. When the file needs to be decrypted, the KEK is used to decrypt the DEK, which in turn decrypts the file.
This layered approach is known as envelope encryption, where the data is encrypted by one key (DEK), and that key is encrypted by another key (KEK). It adds significant security by minimizing the exposure of the more sensitive encryption keys (DEKs).
For example, in your Genesys Cloud setup with AWS KMS:
- DEKs would be generated for encrypting individual customer interaction recordings.
- KEKs would be managed and rotated by AWS KMS to secure those DEKs.