Often, one electronic device transmits sensitive data to another electronic device. To protect such data, an electronic device may encrypt the sensitive data before transmission. Once the transmission reaches the intended recipient, the intended recipient may decrypt the transmitted data to extract the sensitive data. In some cases, the electronic devices may request an external service to perform the encryption and decryption via a network. Encryption and decryption can be processor intensive, so requesting an external service to perform such services can allow the electronic devices to dedicate resources to other necessary processes.
Devices, such as hardware security modules (HSMs), can house external encryption and decryption services. In some instances, HSMs operate by encrypting or decrypting data using one or more keys. HSMs may also operate under a set of encryption policies. Encryption policies mandate how the data is handled and how the keys are used. For example, the encryption policies may dictate how a service is supposed to operate if a key is compromised.
While offloading encryption and decryption to HSMs may ease the burden placed on electronic devices, HSMs may introduce additional constraints. For example, the encryption policies enforced by HSMs may limit the total amount of data that can be encrypted, the total number of encrypt operations for a single key, or the total amount of time a key can be used. In addition, because the HSMs are accessed over a network, requesting and receiving encrypted or decrypted data can be latency sensitive. Finally, HSMs can be expensive to implement and operate.