To protect transmissions of sensitive data, an electronic device may encrypt the sensitive data before transmission. Once the transmission reaches the intended recipient, the intended recipient may decrypt the transmitted data to extract the sensitive data. In some cases, the electronic devices may request an external service to perform the encryption and decryption via a network. Encryption and decryption can be processor intensive, so offloading such tasks to an external service can allow the electronic devices to dedicate resources to other processes.
Devices, such as hardware security modules (HSMs), can house external encryption and decryption services. In some instances, HSMs operate by encrypting or decrypting data using one or more keys. HSMs may also operate under a set of encryption policies provided by the user. Encryption policies mandate how the data is handled and how the keys are used. For example, the encryption policies may dictate how a service is supposed to operate if a key is compromised.
While offloading encryption and decryption to HSMs may ease the burden placed on electronic devices, HSMs may introduce additional constraints. For example, the encryption policies enforced by HSMs may limit the total amount of data that can be encrypted, the total number of encrypt operations for a single key, or the total amount of time a key can be used. In addition, because the HSMs are accessed over a network, requesting and receiving encrypted or decrypted data can be latency sensitive. Finally, HSMs can be expensive to implement and operate.