Encryption machines are often used for protecting data privacy, especially in the banking industry. One of their main functions is key storage. A standard key system of the banking industry is a three-layer key system: ansi x9.17, which strictly limits the use of keys in different levels. The first layer is an encryption machine master key (also referred to as root key), the second layer is a bank master key (also referred to as user master key), and the third layer is a work key, which is also referred to as user work key or user data key.
The root key including three components is stored in a hardware encryption machine, and can be used to protect various keys stored outside the encryption machine and encryption keys of critical data. The role of the user master key is to encrypt a work key to be transmitted on a communication line. The user master key is typically under the encryption protection of a root key or is directly stored in the hardware encryption machine. The role of the user work key is to encrypt a variety of different data, so as to implement functions such as data privacy, information authentication and digital signature, and the user work key is under the encryption protection of the user master key or is directly stored in the hardware encryption machine.
Prior to use, it is necessary to inject a root key into the encryption machine. The encryption machine usually carries a set of IC cards (including an A card, a B card and a C card), and before startup, the management staff inserts the A card into a corresponding slot of the encryption machine and injects three components of the root key through an encryption machine panel menu or a management program provided by a manufacturer, each component being 32 hexadecimal numbers. Afterwards, the root key is stored in the A card and the B card, a user master key is then injected, and after related operations are completed, the user master key is stored in the C card. For a different encryption machine, the key injection process described above may vary but can be completed only by executing an operation of manually inserting a card.
In addition, with rapid development of cloud computing, data storage, data calculation and data applications are increasingly cloud-enabled, and how to guarantee security of sensitive data and critical applications of the cloud users is a major problem for the public cloud. The encryption machine introduced previously is one method of protecting data privacy. A cloud-enabled encryption machine is often desired. For example, users can host the encryption machine at a cloud provider, so as to protect the users' private business data on corresponding clouds.
The traditional manner of injecting a key by manually inserting a card is feasible in a situation where encryption machine devices are relatively few and the encryption machine is placed with a client. However, in the public cloud, the encryption machine is usually placed in a place away from a customer building for hosting, the number of the encryption machine devices increases greatly, and thus the traditional manner has many inconveniences: on the one hand, a cloud user needs to travel a long distance to the cloud provider to insert a card for injecting a key, and operation steps are cumbersome and waste time and energy; on the other hand, as various kinds of cloud users come into and go out of the cloud provider, management efficiency of the cloud provider is low and there are potential safety hazards, thus reducing the cloud users' trust in hosting the encryption machine at the cloud provider.