Home

DEKs

DEK stands for data encryption key, a cryptographic key used to encrypt and decrypt data. In modern systems DEKs are typically symmetric keys, often based on algorithms such as AES. A DEK may protect a single data object or be used to encrypt data in a larger stream or file set. To improve security, many architectures employ envelope encryption: the actual data is encrypted with a DEK, while the DEK itself is encrypted (wrapped) with a separate key, called a key-encryption key (KEK), or with a master key stored in a key management service or hardware security module.

Wrapped DEKs are stored alongside the encrypted data or in a metadata store, enabling the data to

Common DEK sizes include 128, 192, or 256 bits when using AES; other symmetric algorithms may be

Key management is critical for DEKs. Secure storage of KEKs, controlled access, auditing, and periodic rotation

Related concepts include envelope encryption, key management services, hardware security modules, and secure key rotation policies.

be
decrypted
only
by
someone
who
can
unwrap
the
DEK
with
the
KEK.
DEKs
are
often
generated
per
object
or
per
session
and
then
discarded
or
rotated.
This
approach
allows
frequent
rotation
of
KEKs
without
re-encrypting
the
underlying
data,
while
still
providing
strong
data
protection.
used
depending
on
requirements.
DEKs
may
be
ephemeral,
created
on
demand
and
destroyed
after
use,
or
persisted
in
secure
storage
for
longer-term
access
control.
are
standard
practices.
Proper
handling
minimizes
risk
if
a
DEK
is
exposed,
since
the
data
can
only
be
decrypted
with
the
corresponding
KEK
unwrap.