implementing-envelope-encryption-with-aws-kms

Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a master key (KEK) managed by AWS KMS. This approach allows encrypting

mukul975/Anthropic-Cybersecurity-Skills|Updated May 25, 2026

Works with

Claude CodeCursorClineWindsurfCodex

Installation Guide

Select your AI agent

How to use implementing-envelope-encryption-with-aws-kms on Cursor

AI-first code editor with Composer

Prerequisites

Before installing skills in Cursor, ensure your development environment meets these requirements:

›Cursor installed and configured on your machine
›Node.js 16+ with npm — verify with node --version
›Active project directory where you want to add implementing-envelope-encryption-with-aws-kms

Run the install command

Execute the skills CLI command in your project's root directory to begin installation:

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/implementing-envelope-encryption-with-aws-kms

Fetches implementing-envelope-encryption-with-aws-kms from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.

Select Cursor when prompted

The CLI shows a list of agents. Use arrow keys and space to select Cursor:

◆ Which agents do you want to install to?

│

│ ── Universal (.agents/skills) ────────────────

│ · Cline · Codex · Goose · Windsurf

│ ●Cursor(selected)

│ · Cursor · Aider · Continue

Verify installation

Confirm successful installation by checking the skill directory location:

.cursor/skills/implementing-envelope-encryption-with-aws-kms

Restart Cursor to activate implementing-envelope-encryption-with-aws-kms. Access via /implementing-envelope-encryption-with-aws-kms in your agent's command palette.

⚠

Security Notice

We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.

Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.

›View source on GitHub ›Skills CLI docs ›About Cursor ›What are agent skills?

Documentation

List & Monetize Your Skill

Submit your Claude Code skill and start earning

Get started →

Use Cases

Task Automation & Efficiency

Automate repetitive workflows and reduce manual effort

Example

Generate reports, summarize documents, draft communications

✓

Save 3-5 hours per week on routine tasks

Knowledge Enhancement

Learn new skills, understand complex topics, get expert guidance

Example

Explain concepts, provide examples, suggest learning resources

✓

Accelerate learning and skill development by 2x

Quality Improvement

Enhance output quality through reviews, suggestions, and refinements

Example

Review drafts, suggest improvements, catch errors

✓

Improve work quality by 30-40% with less effort

Overview

Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a master key (KEK) managed by AWS KMS. This approach allows encrypting large volumes of data locally while keeping the master key secure in a hardware security module (HSM) managed by AWS. This skill covers implementing envelope encryption using AWS KMS GenerateDataKey API.

When to Use

When deploying or configuring implementing envelope encryption with aws kms capabilities in your environment

When establishing security controls aligned to compliance requirements

When building or improving security architecture for this domain

When conducting security assessments that require this implementation

Objectives

Understand the envelope encryption pattern and its advantages

Generate data encryption keys using AWS KMS GenerateDataKey

Encrypt/decrypt data locally using DEKs

Store encrypted DEK alongside ciphertext

Implement key caching to reduce KMS API calls

Handle key rotation with automatic re-encryption

Implement multi-region encryption for disaster recovery

Key Concepts

Envelope Encryption Flow

Call kms:GenerateDataKey to get plaintext DEK + encrypted DEK

Use plaintext DEK to encrypt data locally (AES-256-GCM)

Store encrypted DEK alongside ciphertext

Discard plaintext DEK from memory

For decryption: call kms:Decrypt on encrypted DEK, then decrypt data

Advantages Over Direct KMS Encryption

Aspect	Direct KMS	Envelope Encryption
Max data size	4 KB	Unlimited
Latency	Network round-trip per operation	Local encryption
Cost	$0.03/10,000 requests	Fewer KMS requests
Offline	Not possible	Yes (with cached DEKs)

KMS Key Types

AWS Managed: AWS creates and manages (aws/s3, aws/ebs)

Customer Managed: You create and manage policies

Custom Key Store: Backed by CloudHSM cluster

Security Considerations

Never store plaintext DEK; only keep encrypted DEK

Use key policies to restrict who can call GenerateDataKey and Decrypt

Enable AWS CloudTrail logging for all KMS API calls

Implement key rotation (automatic annual rotation for CMKs)

Use encryption context for authenticated encryption metadata

Handle KMS throttling with exponential backoff

Validation Criteria

GenerateDataKey returns plaintext and encrypted DEK

Data encrypts correctly with plaintext DEK using AES-256-GCM

Encrypted DEK can be decrypted via KMS Decrypt API

Decrypted DEK recovers the original data

Plaintext DEK is wiped from memory after use

Encryption context is validated during decryption

Key rotation re-encrypts DEKs with new master key

name	implementing-envelope-encryption-with-aws-kms
description	Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a master key (KEK) managed by AWS KMS. This approach allows encrypting
domain	cybersecurity
subdomain	cryptography
tags	- cryptography - encryption - aws - kms - envelope-encryption - key-management
version	'1.0'
author	mahipal
license	Apache-2.0
nist_csf	- PR.DS-01 - PR.DS-02 - PR.DS-10

implementing-envelope-encryption-with-aws-kms

Installation Guide

How to use implementing-envelope-encryption-with-aws-kms on Cursor

Prerequisites

Run the install command

Select Cursor when prompted

Verify installation

Security Notice

Documentation

List & Monetize Your Skill

Use Cases

Task Automation & Efficiency

Knowledge Enhancement

Quality Improvement

Install Skill

Implementing Envelope Encryption with AWS KMS

Overview

When to Use

Prerequisites

Objectives

Key Concepts

Envelope Encryption Flow

Advantages Over Direct KMS Encryption

KMS Key Types

Security Considerations

Validation Criteria

Implementation Guide

Best Practices

When to Use This

Learning Path

Related Skills

performing-cryptographic-audit-of-application

analyzing-ransomware-encryption-mechanisms

implementing-soar-playbook-with-palo-alto-xsoar

exploiting-deeplink-vulnerabilities

analyzing-network-traffic-with-wireshark

generating-threat-intelligence-reports

Reviews

Discussion