Stats
Actions
Tags
Implements envelope encryption using AWS KMS GenerateDataKey: encrypt bulk data locally with AES-256-GCM DEK, secure DEK with KMS KEK. Covers caching, rotation, multi-region recovery. Useful for low-latency, cost-effective encryption beyond 4KB limits.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:implementing-envelope-encryption-with-aws-kmsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
信封加密(Envelope Encryption)是一种用数据加密密钥(DEK,Data Encryption Key)加密数据,再用 AWS KMS 管理的主密钥(KEK,Key Encryption Key)加密 DEK 的策略。该方法允许在本地加密大量数据,同时将主密钥安全保存在 AWS 管理的硬件安全模块(HSM,Hardware Security Module)中。本技能涵盖使用 AWS KMS GenerateDataKey API 实现信封加密。
信封加密(Envelope Encryption)是一种用数据加密密钥(DEK,Data Encryption Key)加密数据,再用 AWS KMS 管理的主密钥(KEK,Key Encryption Key)加密 DEK 的策略。该方法允许在本地加密大量数据,同时将主密钥安全保存在 AWS 管理的硬件安全模块(HSM,Hardware Security Module)中。本技能涵盖使用 AWS KMS GenerateDataKey API 实现信封加密。
kms:GenerateDataKey 获取明文 DEK + 加密 DEKkms:Decrypt,然后解密数据| 方面 | 直接 KMS | 信封加密 |
|---|---|---|
| 最大数据量 | 4 KB | 无限制 |
| 延迟 | 每次操作需网络往返 | 本地加密 |
| 费用 | $0.03/10,000 请求 | 更少的 KMS 请求 |
| 离线支持 | 不可能 | 是(使用缓存 DEK) |
aws/s3、aws/ebs)npx claudepluginhub killvxk/cybersecurity-skills-zhImplements envelope encryption using AWS KMS GenerateDataKey API: encrypts data locally with a DEK while keeping the master key secure in KMS. Useful for encrypting large data volumes, reducing KMS API costs, and enabling offline decryption with cached keys.
Implements envelope encryption with AWS KMS in Python: generate DEKs via GenerateDataKey, local AES-256-GCM encrypt/decrypt, key caching, rotation, multi-region support. For large data volumes and compliance.
Implements envelope encryption with AWS KMS in Python: generate DEKs, local AES-256-GCM encrypt/decrypt, key caching, rotation, and multi-region support.