主权项 |
1. A computer-implemented method, comprising:
receiving, at a web server of a cryptography service, a request for a cryptographic key, the request specifying a lifetime, the request from a device associated with a customer of the cryptography service; generating, in a device that provides hardware protection of cryptographic material, the cryptographic key; selecting, from a set of domain keys stored within the device and programmatically unexportable from the device, a domain key with an expiration that matches the specified lifetime, the expiration enforced by at least one instance of an automated process that causes the domain key to become permanently inaccessible to the device at a time determined in accordance with the expiration; encrypting, in the device, the generated cryptographic key; generating a token that comprises the encrypted cryptographic key and an identifier of the cryptographic key; providing, to the device associated with the customer, the token in response to the received request; and performing one or more operations that cause the device to lose access to the cryptographic key. |