|
- encryption - How do SED drives generate the DEK? - Information Security . . .
The DEK is used to encrypt all content on the drive In the case the drive needs to be securely wiped, the DEK can simply be erased, regardless of whether or not the AK is set According to the TCG , the DEK is generated on the drive itself, rather than being generated on the computer and transferred over through some vendor-specific ATA command:
- DEK, KEK and Master key - Information Security Stack Exchange
DEK - Data Encryption Key The key used to encrypt the data e g Key: 1234 with AES 128 as encryption algorithem - 1234 is the DEK KEK - Key Encryption Key e g Encrypt (from DEK above) 1234 with 9999; 9999 is the KEK Master Key or MEK - Master Encryption Key This key is used to encrypt decrypt DEK and KEK in transit; usually used for KEK
- encryption - Why not use the KEK directly to encrypt data . . .
To use it, you authenticate to it, pass in an encrypted DEK, and it returns the unencrypted DEK (A YubiKey is an example of a small personal HSM that protects your passwords instead of DEKs So-called "enterprise grade" HSMs are usually expensive rack mounted devices that are locked in special cages inside corporate data centers )
- Why is there a des-ede3-cbc in my rsa private key?
I have created an OpenSSL RSA private key and certificate request with 4096 bit with the following command: openssl req -newkey 4096 When I view the private key with openssl asn1parse -in privkey
- cryptography - Exchange of DEK and KEK (encryption keys) between app . . .
The key to encrypt the DEK is stored in a totally separate server and is called the Key Encryption Key (KEK) So everytime a data is to be encrypted decrypted, first the KEK is used to decrypt the en_dek, which gives me the actual DEK, and then this DEK is used to encrypt decrypt the user's data Now my question is:
- Checking if an RSA private key is passphrase protected
The 'legacy' (OpenSSL) unencrypted format does start with MII (which is 30 82, the first two octets of all reasonable-sized ASN 1 DER SEQUENCEs, and encrypted does not, but they are also distinguished by the Proc-type and DEK-info lines which are much more obvious –
- Hierarchical Key Rotation. Should I rotate the lowest level keys?
Ultimately, your DEK is the critical one - if someone has your data and your DEK then it is game over Moreover, if someone has access to your data and the DEK then rotating all the other keys won't matter Still, only you can decide whether or not it is worth the effort to rotate the DEK Hence the question: what is your threat model?
- How to process or manage Key-Encryption-Key using HSM?
1 Data-Encryption-Key(DEK) 2 Key-Encryption-Key(KEK) KEK will be securely stored in HSM, which will be encrypted using master key Data Encryption Key will be decrypted using KEK Based on the above concept, my doubts are: Do we need to send the Encrypted DEK to the HSM for decrypting it or Do we need to decrypt the KEK and retrieve it from HSM ?
|
|
|