Home

CEK

CEK stands for Content Encryption Key in cryptography. It is the key used to encrypt the actual data in a protection scheme, typically a symmetric key employed by an encryption algorithm such as AES or ChaCha20-Poly1305. In envelope encryption, the data is encrypted with a CEK, while the CEK itself is protected by a separate key, often called the Key Encryption Key (KEK), or by a key management service. The CEK is usually generated as a high-entropy random value and commonly uses 128, 192, or 256-bit lengths when AES is the content encryption algorithm.

In many standards, CEK is used interchangeably with the term data encryption key (DEK) to denote the

Management and security considerations emphasize short-lived and uniquely generated CEKs for different objects or sessions. CEKs

See also: Key encryption key, envelope encryption, JSON Web Encryption, data encryption key, key management service.

key
that
protects
the
payload.
The
encrypted
or
wrapped
form
of
the
CEK
is
stored
or
transmitted
along
with
the
encrypted
data,
enabling
decryption
by
parties
who
can
access
the
KEK
or
have
appropriate
access
to
the
key
management
system.
should
be
rotated
regularly,
protected
by
robust
key
management
systems,
and
safeguarded
with
strict
access
control
and
auditing.
Appropriate
algorithm
choices
depend
on
performance
requirements
and
platform
constraints,
with
AES-GCM
and
ChaCha20-Poly1305
being
common
options
for
content
encryption.