As it is generally known, a cryptographic key (or simply “key”) is used by an encryption circuit or logic to determine how input data is to be encrypted and/or decrypted. For example, a key may specify the particular transformation to be performed on input data during encryption, and/or the reverse process during decryption. Keys may also be used in other types of cryptographic operations, such as generating digital signatures, and/or message authentication.
Some distributed computing environments use what are known as “master encryption keys” for certain types of data encryption performed by the devices they contain. In some systems, the master encryption key is required in order to perform certain encryption operations that must occur during the start-up process for individual devices. Accordingly, a master key may be required to re-start a device after a power loss, or to set up a newly added device. Because master encryption keys are often used to perform basic, underlying encryption operations, they must be stored securely, so that the security of both the individual devices and the overall computing environment is maintained.
Previous approaches to protecting master encryption keys have required an administrator user to enter a password whenever the master encryption key is accessed. For example, some prior solutions have stored a master encryption key in a “keystore” file that cannot be accessed without an administrator user entering their password. Other previous systems requiring the administrator user password have employed a hardware security module (HSM) with an access-control mechanism (e.g. multi-part password-based, smartcard, Universal Serial Bus (USB)/token, etc.), and required client software to authenticate to the HSM in order to access the master encryption key.