To protect secrets, Secrets Manager uses envelope encryption with AWS KMS customer master keys (CMKs) and data keys.

Secrets Manager uses a unique data key to protect each secret value. Whenever the secret value in a secret changes, Secrets Manager generates a new data key to protect it. The data key is encrypted under an AWS KMS CMK and stored in the metadata of the secret, as shown in the following image. To decrypt the secret, Secrets Manager must first decrypt the encrypted data key using the CMK in AWS KMS.

Need a hands on AWS DevOps Consultant?

Set up a 1 on 1 appointment with Anuj to assist with your cloud journey



Need an experienced AWS/GCP/Azure Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.