npx claudepluginhub plurigrid/asi --plugin asiThis skill uses the workspace's default tool permissions.
Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a master key (KEK) managed by AWS KMS. This approach allows encrypting large volumes of data locally while keeping the master key secure in a hardware security module (HSM) managed by AWS. This skill covers implementing envelope encryption using AWS KMS GenerateDataKe...
Implements envelope encryption with AWS KMS in Python: generate DEKs, local AES-256-GCM encrypt/decrypt, key caching, rotation, and multi-region support.
Implements envelope encryption using AWS KMS GenerateDataKey: encrypt bulk data locally with AES-256-GCM DEK, secure DEK with KMS KEK. Covers caching, rotation, multi-region recovery. Useful for low-latency, cost-effective encryption beyond 4KB limits.
Provides AWS KMS patterns using Java SDK 2.x for encryption key management, data encryption/decryption, envelope encryption, digital signing, key rotation, and Spring Boot integration.
Share bugs, ideas, or general feedback.
Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a master key (KEK) managed by AWS KMS. This approach allows encrypting large volumes of data locally while keeping the master key secure in a hardware security module (HSM) managed by AWS. This skill covers implementing envelope encryption using AWS KMS GenerateDataKey API.
kms:GenerateDataKey to get plaintext DEK + encrypted DEKkms:Decrypt on encrypted DEK, then decrypt data| Aspect | Direct KMS | Envelope Encryption |
|---|---|---|
| Max data size | 4 KB | Unlimited |
| Latency | Network round-trip per operation | Local encryption |
| Cost | $0.03/10,000 requests | Fewer KMS requests |
| Offline | Not possible | Yes (with cached DEKs) |
aws/s3, aws/ebs)