主权项 |
1. A system for centrally managing encryption or decryption services across multiple domains, the system comprising:
at least one processor; a non-transitory computer readable medium including instructions, which, when executed, are configured to cause the at least one processor to implement, a key manager configured to generate a master key to protect a plurality of domains including a first domain and a second domain different than the first domain; the key manager configured to store the master key; the key manager configured to determine a first encryption algorithm and first key size based on domain-specific policy information for the first domain, and determine a second encryption algorithm and second key size based on domain-specific policy information for the second domain; the key manager configured to generate a plurality of domain keys including generating a first domain key having the first key size for the first domain, and generating a second domain key having the second key size for the second domain; the key manager configured to encrypt the plurality of domain keys including the first domain key and the second domain key with the master key; and the key manager configured to store the encrypted first domain key and the encrypted second domain key in an area remote from the first domain and the second domain, the key manager configured to generate a first Cipher object for the first domain in response to a request from the first domain, including retrieving the first domain key, decrypting the first domain key with the master key, and transmitting the first Cipher object to the first domain, the first Cipher object identifying the first encryption algorithm and including the first domain key; the key manager configured to generate a second Cipher object for the second domain in response to a request from the second domain, including retrieving the second domain key, decrypting the second domain key with the master key, and transmitting the second Cipher object to the second domain, the second Cipher object identifying the second encryption algorithm and including the second domain key, wherein the first encryption algorithm and the first domain key of the first Cipher object are not exposed to the first domain other than by invocation of encryption or decryption provided by the first Cipher object, and the second encryption algorithm and the second domain key of the second Cipher object are not exposed to the second domain other than by invocation of encryption or decryption provided by the second Cipher object. |