====== Envelope Encryption ======

**What it is:** A method where KMS protects a data key, and the data key encrypts the actual data.

**What it’s for:**
  * Efficient encryption for large data (don’t use KMS directly to encrypt big payloads).
  * Common pattern used by many AWS services automatically.

**How it works (high level):**
  * KMS generates a **data key**.
  * Data is encrypted locally with the data key.
  * The data key is encrypted (“wrapped”) by the KMS key and stored alongside ciphertext.

**Exam cues:**
  * “encrypt large files efficiently” → envelope encryption.

**Hard words:**
  * *envelope* /ˈenvəloʊp/: “phong bì” (ẩn dụ bọc khóa)
  * *payload* /ˈpeɪloʊd/: dữ liệu mang theo (nội dung chính)
  * *ciphertext* /ˈsaɪfərˌtekst/: dữ liệu đã mã hóa
  * *wrapped* /ræpt/: được bọc (khóa)