1. Field of the Invention
The present invention relates to computer security. More specifically, the present invention relates to a method and apparatus for managing cryptographic keys in a computing environment.
2. Related Art
In an effort to protect information from getting into the wrong hands, users often employ cryptographic techniques when storing and/or transmitting confidential information. For example, common cryptographic techniques typically involve using a decryption key to decrypt information that a client or server has encrypted with a corresponding encryption key. Note that in some instances the decryption key and the encryption key can be the same key. By using these cryptographic techniques, the problem of protecting information transforms into the problem of protecting cryptographic keys.
Each server or database that uses cryptographic techniques typically employs some type of strategy or mechanism to protect the corresponding cryptographic keys from unwanted distribution. However, these strategies or mechanisms usually provide little protection from a malicious administrator who wishes to obtain the corresponding cryptographic keys particularly because storage encryption keys may often be stored persistently on the server.
Shifting the responsibility of protecting cryptographic keys from the server or the database to the owners of the data that is being protected helps protect the cryptographic keys from malicious administrators. However, for each cryptographic key that a user protects, there is an increase in the user's infrastructure required to securely store the cryptographic key. Furthermore, there can be a corresponding increase in the user's infrastructure required to handle key recovery in the event that the cryptographic key is lost. This increase in infrastructure can be both costly and difficult to maintain.
Hence, what is needed is a method for managing cryptographic keys without the problems listed above.