In part 3 of this article series, I delivered the Create Master Key (CRTMSTK) and Remove Master Key (RMVMSTK) commands. This time, I add the Create Key Encrypting Key (CRTKEK) and Remove Key Encrypting Key (RMVKEK) commands to the set of key administration tools that I intend to offer as part of my exploration of the Cryptographic Services APIs.
As explained last time, the CRTMSTK command simply adds the specified master key to the key store as it is, whereas the CRTKEK command needs to encrypt the specified key encrypting key under the master key before storing it. It is here that one of the new improvements to the Cryptographic Services APIs comes into play: key context tokens.
Instead of retrieving the master key and passing that on in clear text to the encryption process, a key context token is returned from the function responsible for retrieving the master key. A key context token identifies the actual key value to the encryption and decryption APIs, and this information is stored below the MI and therefore accessible only to system functions. Passing the token instead of the key itself between functions that require the master key reduces the risk of exposure and thereby the risk of the master key being compromised.