Define the Data Encryption Key (DEK) as a symmetric key generated fresh per record or per data partition, used only to encrypt the payload, and never persisted in plaintext
Define the Key Encryption Key (KEK) as a long-lived key stored in a KMS or HSM; the KEK encrypts (wraps) the DEK so only the wrapped DEK ciphertext is stored alongside the payload
Choose DEK granularity based on your threat model: per-record DEKs limit blast radius if one ciphertext is compromised, while per-tenant DEKs simplify multi-tenant key isolation
Implement the encrypt path: generate DEK, encrypt payload with DEK, encrypt DEK with KEK, store (encrypted payload + wrapped DEK + KEK reference)
Implement the decrypt path: retrieve KEK reference, call KMS/HSM to unwrap DEK, decrypt payload with DEK, discard DEK from memory
Plan for KEK rotation: rotating the KEK requires rewrapping all stored wrapped DEKs with the new KEK; consider using key versioning to phase rotation without a single large rewrap job
Known gotchas
A DEK that encrypts large amounts of data over time effectively becomes a long-lived key; rotate DEKs periodically or per data-lifecycle event to limit exposure
Storing the KEK reference (e.g., KMS key ARN or key version) alongside the ciphertext is required for decryption but also reveals which key protects the data; treat this metadata as sensitive
KEK and DEK algorithms should both be strong and appropriate for their purpose; mixing a strong KEK with a weak DEK algorithm negates the security of the KEK
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp