Envelope Encryption Using KeyIDs

Envelope encryption allows you to encrypt data with a data encryption key (DEK) and then encrypt the DEK for further security. You can use a KeyID to encrypt a DEK that is used for envelope encryption. KeyControl uses the AES-GCM algorithm for encryption. Only 256-bit KeyIDs can be used to encrypt DEKs. See Create KeyID (Access Token-Based Authentication) or Create KeyID (Certificate-Based Authentication) .