Envelope Encryption: Definition
Envelope encryption is a cryptographic pattern in which working data is encrypted with a one-time or periodically rotated data key, while the data key itself is then encrypted with a separate master key. In practice, this means separating protection of the content from protection of the key that encrypted that content. This model is commonly used in systems that process large files, including photos and video recordings containing faces and license plates.
In technical literature, this corresponds to combining symmetric encryption for data with a key wrapping mechanism or using asymmetric cryptography to protect the data key. NIST describes key wrapping in SP 800-38F from 2012 and key lifecycle management in SP 800-57 Part 1 Rev. 5 from 2020. In production environments, data is most often encrypted with AES, while the data key is protected using a key stored in a KMS or HSM, or by means of asymmetric cryptography.
In the context of photo and video anonymization, envelope encryption does not replace face blurring or license plate blurring. It serves a different purpose. It protects source material, intermediate files, exports, and the keys used during processing. It becomes especially important when an organization needs to reduce the risk of unauthorized access to recordings before anonymization, during processing, and after completion.
How Envelope Encryption Works in Photo and Video Processing
The mechanism is conceptually simple, but the operational details matter. For each file or batch of files, the system generates a data key. That key is used to encrypt the image, recording, or output archive. The data key is then encrypted with a master key. The encrypted data key, the identifier of the master key used, and the parameters required for decryption, such as a nonce or IV, are stored with the file or in the metadata record.
In a visual data anonymization system, this workflow usually looks like this:
- the input file is stored in encrypted storage,
- controlled access to decrypted data is provided for the duration of processing,
- the AI model detects faces and license plates,
- the anonymized result is saved as a new file, also encrypted,
- the data keys for the input and output versions may be different,
- master key rotation does not require re-encrypting entire files, only re-protecting the data keys.
This last point is the main advantage of envelope encryption architecture for large volumes of video data. Re-encrypting terabytes of material would be computationally and operationally expensive. Re-protecting only the data keys is much faster.
The Role of Envelope Encryption in Photo and Video Anonymization
In the visual anonymization process, there are at least two types of risk. The first concerns incorrect or incomplete detection of faces and license plates. The second concerns disclosure of the material before anonymization or access to the source version after export has been created. Envelope encryption addresses the second area.
In practice, this means that even if a file is copied from a repository or backup medium, it remains unreadable without access to the correct master key and cryptographic metadata. For a Data Protection Officer, this matters because the measure supports the principle of integrity and confidentiality under Article 5(1)(f) of the GDPR, as well as security of processing under Article 32 GDPR. Encryption alone, however, does not make data anonymous. In line with the approach of the EDPB and supervisory authorities, it is a security measure, not an anonymization technique.
Key Technical Components and Parameters
Assessing implementation quality should not stop at stating that data is encrypted. What matters are the algorithms, key lengths, the way randomness is generated, and the key management model.
Component | Typical Solution | Practical Significance
|
|---|---|---|
Data encryption algorithm | AES-256-GCM | Confidentiality and integrity in a single AEAD mode. NIST SP 800-38D, 2007. |
Data key | DEK - Data Encryption Key | Encrypts a specific file, segment, or batch of data. |
Master key | KEK or CMK | Used to protect the DEK. It should be secured in a KMS or HSM. |
Key wrapping | AES Key Wrap | A standardized mechanism for key protection. NIST SP 800-38F, 2012. |
Randomness | CSPRNG | Critical for the security of nonces, IVs, and keys. |
Key rotation | Periodic or event-driven | Limits the impact of key compromise and supports key lifecycle management. |
Example metrics and attributes worth evaluating in a photo and video processing system:
- time required to decrypt and make a file available for processing, usually measured in ms or s per file,
- storage overhead, including metadata, authentication tag, and encrypted DEK,
- master key rotation time, depending on the number of key re-protection operations,
- RPO and RTO for key recovery after a failure,
- the number of people and roles with access to decrypt source material,
- the level of isolation between production, test, and backup environments.
If the system uses AES-GCM, nonce uniqueness must be ensured for a given key. Violating this rule can lead to loss of security. This is a technical requirement, not a configuration option.
Practical Use in an On-Premises Environment
In on-premises environments, which are common when handling sensitive material, envelope encryption makes it easier to separate duties. The application server may process files, but the master key remains outside it, for example in an HSM or a dedicated KMS. As a result, compromising one component does not necessarily mean immediate access to the full content of the recordings.
In the case of Gallio PRO, this matters when organizing a secure file workflow. The software automatically blurs faces and license plates, but it does not anonymize other categories of data visible in the material. That is why protecting source files and working copies is especially important. Envelope encryption can protect material before processing, after processing, and in the archive. This does not change the scope of the system’s detection functions: logos, tattoos, name badges, documents, or content displayed on monitor screens are not detected automatically and require manual action in the editor.
Limitations and Most Common Mistakes
Envelope encryption is a mature pattern, but it is sometimes implemented incorrectly. When that happens, formal benefits do not translate into real security.
- storing the master key on the same server as the encrypted files,
- lack of key rotation and no key revocation procedures after an incident,
- using outdated unauthenticated modes, such as CBC alone without additional integrity protection,
- improper nonce or IV management,
- treating encryption as a substitute for anonymization,
- leaving temporary files and cache unencrypted during video processing.
It is also important to distinguish cryptographic security from anonymization effectiveness. Even perfectly encrypted material may still contain visible personal data after decryption if face or license plate detection was incomplete.
Standards and Sources
The documents below are the ones most commonly cited when designing and auditing this kind of solution. These are technical and regulatory sources, not marketing commentary.
- NIST SP 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, 2007.
- NIST SP 800-38F, Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping, 2012.
- NIST SP 800-57 Part 1 Rev. 5, Recommendation for Key Management, 2020.
- FIPS 197, Advanced Encryption Standard (AES), editorial update 2023, originally published in 2001.
- GDPR - Regulation (EU) 2016/679, Article 5 and Article 32.
- ENISA materials on pseudonymization and cryptographic measures in data protection, used as supporting resources when assessing technical measures.
In terminology, two practices can be found. One distinguishes DEK and KEK as separate key roles. The other uses vendor-specific naming, such as data key and customer managed key. The difference is mainly in naming, as long as the architecture preserves the same separation of functions.