What it is: A method where KMS protects a data key, and the data key encrypts the actual data.

What it’s for:

• Efficient encryption for large data (don’t use KMS directly to encrypt big payloads).
• Common pattern used by many AWS services automatically.

How it works (high level):

• KMS generates a data key.
• Data is encrypted locally with the data key.
• The data key is encrypted (“wrapped”) by the KMS key and stored alongside ciphertext.

Exam cues:

• “encrypt large files efficiently” → envelope encryption.

Hard words:

• *envelope* /ˈenvəloʊp/: “phong bì” (ẩn dụ bọc khóa)
• *payload* /ˈpeɪloʊd/: dữ liệu mang theo (nội dung chính)
• *ciphertext* /ˈsaɪfərˌtekst/: dữ liệu đã mã hóa
• *wrapped* /ræpt/: được bọc (khóa)