|
- DEK, KEK and Master key - Information Security Stack Exchange
This article is intended to be a simplified explanation sans drill-down for people wanting to understand these concepts terms What are DEK, KEK and MEK Master key?
- How do SED drives generate the DEK? - Information Security Stack Exchange
The DEK is used to encrypt all content on the drive In the case the drive needs to be securely wiped, the DEK can simply be erased, regardless of whether or not the AK is set According to the TCG, the DEK is generated on the drive itself, rather than being generated on the computer and transferred over through some vendor-specific ATA command:
- cryptography - Exchange of DEK and KEK (encryption keys) between app . . .
To make the system more secure, instead of storing DEK in plain text in the app server, it is stored in encrypted form (en_dek) in the app server The key to encrypt the DEK is stored in a totally separate server and is called the Key Encryption Key (KEK)
- encryption - Why not use the KEK directly to encrypt data . . .
The DEK never changes: you don't want to re-encrypt every single file, so you don't change the DEK You may want to change the KEK: if your KEK expires, got compromised, or you transfer ownership of the data to someone, you can re-encrypt the DEK with another key
- Browser- side caching of encrypted sensitive informations in . . .
The DEK (data encryption key) used to decrypt user data will be stored with the WebCrypto API as a non-extractable key The CryptoKey object itself will get stored in the IndexedDb of the browser We have basically two approaches: Using Cache-Control and ETag - headers to use browser-internal caching
- Hierarchical Key Rotation. Should I rotate the lowest level keys?
Ultimately, your DEK is the critical one - if someone has your data and your DEK then it is game over Moreover, if someone has access to your data and the DEK then rotating all the other keys won't matter Still, only you can decide whether or not it is worth the effort to rotate the DEK Hence the question: what is your threat model?
- Is it Secure to Use a Single AES-GCM Encryption Key for an Entire . . .
A better option is to have two keys: A data encryption key (DEK) which encrypts the data and a key encryption key (KEK) which encrypts the DEK When you rotate the KEK, you only have to re-encrypt the DEK, not all data For rotating the DEK, assign a unique ID to each key and store this ID together with the ciphertext
- password management - Information Security Stack Exchange
The below is some JavaDoc from a different bit of code that is for using a DEK to protect secrets like credentials in an application public class SecretGenerator extends java lang Object Static methods used to generate secret key material and passwords All methods require the caller supply a 'Data Encrypting Key' (DEK)
|
|
|