What is Key Wrapping?
A technique for encrypting cryptographic keys using another key, protecting keys at rest and during transport.
Key wrapping ensures that encryption keys are never stored or transmitted in plaintext.
Why It Matters
- Encryption is only as strong as how well the keys are protected
- Keys need to be stored somewhere — wrapping encrypts them at rest
- When keys are sent between systems, wrapping protects them in transit
How It Works
- A Key Encryption Key (KEK) encrypts the actual data encryption keys
- The KEK is stored separately (often in a hardware security module)
- To use a data key, you first unwrap it with the KEK
Standards
- AES Key Wrap (RFC 3394) is the most common algorithm
- Used in PGP, S/MIME, TLS, and cloud key management services
The Key Hierarchy
Most systems use a hierarchy: Master Key > Key Encryption Keys > Data Encryption Keys. This limits the damage if any single key is compromised.
Related Terms
AES
Advanced Encryption Standard is a symmetric encryption algorithm adopted by the U.S. government and used worldwide. It's the gold standard for encrypting sensitive data, used in everything from HTTPS to disk encryption.
Encryption at Rest
Encryption applied to data stored on disks, databases, or other storage media. When data is 'at rest' (not actively being transmitted), encryption protects it from unauthorized access if storage devices are stolen or compromised.
Key Exchange
A cryptographic protocol that allows two parties to establish a shared secret key over an insecure channel. This shared key can then be used for symmetric encryption, enabling secure communication without prior contact.
Have more questions?
Use our guided flow to get the right next privacy step for Key Wrapping.
Open Guided Flow