Overview
What this challenge is about.
Design the envelope-encryption hierarchy: customer Key Encryption Key (KEK) held in AWS KMS (Key Management Service), Data Encryption Keys (DEKs) wrapped per document. Use AES-256-GCM with the document's S3 key as the Associated Data (AAD) — so a swapped object fails decryption. Implement the encrypt-upload and download-decrypt paths in Go. Handle key rotation (re-wrap DEKs without re-encrypting data). Migrate 50GB of representative documents end-to-end. Deliver Go code, a key-hierarchy diagram, the migration script, a test suite covering tampering + key rotation, and a 5-page operations runbook.
The Brief
What you'll do, and what you'll demonstrate.
Ship envelope-encryption with customer-managed keys for a 4TB document service, prove tamper resistance via AEAD, and produce an operational runbook.
Earning criteria — what you'll demonstrate
- Design and ship envelope encryption with KMS-held KEKs
- Use AEAD correctly with Associated Data binding objects to their keys
- Implement key rotation without re-encrypting all underlying data
- Document encryption operations for a non-crypto SRE team
Program Fit
Where this fits in your program.
Sharpens the same skills your degree expects you to demonstrate.
Skills
Skills you'll demonstrate.
Each one shows up on your verified credential.
Careers
Roles this prepares you for.
Real titles. Real skill bridges. Pick the one closest to your trajectory.
Career mappings coming soon.