Digital Envelope

Digital Envelope

Digital Envelope

The enveloped-data content type consists of an encrypted content of any type and encrypted content-encryption keys for one or more recipients.

The combination of the encrypted content and one encrypted content-encryption key for a recipient is a “digital envelope” for that recipient.


The content is encrypted with the content-encryption key.

The data to be protected is padded, then the padded data is encrypted using the
content-encryption key.

Content-encryption Key

The content-encryption key for the desired content-encryption algorithm is randomly generated.

Any type of content can be enveloped for an arbitrary number of recipients using any of the three key management techniques for each recipient.

Source: RFC 3369: Cryptographic Message Syntax (CMS)



Both S/MIME and PGP support protecting the encryption/session key using the public-key encryption. At the conceptual level, S/MIME and PGP apply. The diagram is an excerpt from Wikipedia and I think that’s why PGP is the answer.

The session key in S/MIME can be exchanged through:

  1. Key transport by public-key encryption (supported by CA)
  2. Key agreement
  3. Shared Key



Leave a Reply