In today’s issue of APIs by Example, I take up the challenge of cryptographic key management. How do you protect a cipher key against disclosure and at the same time make it readily available to your applications?
The idea behind key management is based on the simple fact that encrypted data is protected against unauthorized access only as long as the data encryption key is kept secret. Anyone having access to the data encryption key, and the encrypted data, of course, can get access to the clear-text data.
The simple answer to this problem is to encrypt the data encryption key. For that purpose, key-encrypting keys (KEKs) are implemented. So whenever a data encryption key is stored, it is first encrypted using a KEK.
This leaves you with the challenge of protecting the KEK against disclosure. So a final key layer is introduced: The master key. Using a master key, I can encrypt all KEKs before storing them on disk. And so they are also safe and protected. But now how do I protect the master key?