Apparatus and method for facilitating cryptographic key management services

摘要

A cryptographic key management system includes executable instructions to control access to keys based on permissions for users and groups. Executable instructions support cryptographic operations on the keys through a network application program interface. The cryptographic operations are controlled by the permissions. The cryptographic operations are distributed between the servers and the clients in accordance with criteria specifying optimal execution of cryptographic operations between the servers and the clients.

主权项

1. A computer-implemented method, comprising:
receiving, at a client device from a consumer having a corresponding credential, a request to perform a cryptographic operation involving a managed asymmetric key; identifying, by the client device, a group of which the consumer is a member based on the credential; identifying, by the client device, cryptographic permissions associated with the managed asymmetric key specifying cryptographic operations involving the managed asymmetric key that members of the group are permitted to perform; identifying, by the client device, a symmetric key associated with the managed asymmetric key; storing, by the client device, an encrypted form of the symmetric key on the client device, the encrypted form of the symmetric key obtained by encrypting the symmetric key with a public key; determining, by the client device, that the identified cryptographic permissions are insufficient to obtain a private key corresponding to the public key; providing, by the client device, the encrypted form of the symmetric key to a first server; receiving, by the client device, from the first server, a decrypted form of the symmetric key; and decrypting, by the client device, content using the decrypted form of the symmetric key.