Data Encryption Key (DEK)

Definition - What does Data Encryption Key (DEK) mean?

A data encryption key (DEK) is a type of key designed to encrypt and decrypt data at least once or possibly multiple times. DEKs are created by an encryption engine. Data is encrypted and decrypted with the help of the same DEK; therefore, a DEK must be stored for at least a specified duration for decrypting the generated cipher text.

[WEBINAR] Index Insanity: How to Avoid Database Chaos

Techopedia explains Data Encryption Key (DEK)

The time period for storing data prior to its retrieval may vary significantly, and some data may be kept for many years or even decades prior to accessing it. In order to ensure that the data is still available, DEKs may also have to be retained for very long periods. A key-management system provides life-cycle supervision for every DEK generated by an encryption engine. Key-management systems are usually offered by third-party vendors.

Regardless of the life-cycle length, there are four levels in a DEK life cycle:

The key is created using the crypto module of the encryption engine.
The key is then provided to a key vault and to various other encryption engines.
This key is utilized for encrypting and decrypting data.
The key is then suspended, terminated or destroyed.

A DEK may be customized to expire during a particular time frame in order to prevent data from being compromised. Under such circumstances, it should be used once more for decrypting the data and then the resulting clear text is encrypted with the help of a new key (re-keyed).