Key management using trusted platform modules

摘要

Described herein are techniques for distributed key management (DKM) in cooperation with Trusted Platform Modules (TPMs). The use of TPMs strengthens the storage and processing security surrounding management of distributed keys. DKM-managed secret keys are not persistently stored in clear form. In effect, the TPMs of participating DKM nodes provide security for DKM keys, and a DKM key, once decrypted with a TPM, is available to be used from memory for ordinary cryptographic operations to encrypt and decrypt user data. TPM public keys can be used to determine the set of trusted nodes to which TPM-encrypted secret keys can be distributed.

主权项

1. A method of providing distributed key management
(DKM) in a DKM system comprised of DKM client computers and a DKM server, each DKM client computer comprising a trusted platform module (TPM), the method comprising: sharing DKM keys among DKM clients, wherein TPMs of the DKM clients are used to decrypt the DKM keys with TPM private keys, and wherein software cryptography components are used to encrypt the DKM keys with TPM public keys, and wherein the DKM keys when not in use are stored as encrypted by the TPM public keys, and wherein the DKM keys, when decrypted, are used by the cryptography software components of the DKM clients to encrypt and decrypt data, and wherein the decrypted DKM keys are accessible in clear form in memory of the DKM clients during encryption or decryption operations that use the decrypted DKM keys; creating a default DKM policy that applies to a plurality of DKM groups of the DKM system, wherein the default DKM policy specifies a set of cryptographic algorithms to protect data, a current DKM key to use in protect operations, and a lifetime of the current DKM key; and overriding the default DKM policy of the plurality of DKM groups by a different DKM policy for a particular DKM group of the plurality of DKM groups.