The present invention relates to a method and system for ensuring cryptographic separation between plaintext and ciphertext is maintained, using operating system kernel level containment mechanisms.
Where encryption of data is a security policy requirement within a system there is a need to ensure that unencrypted data (referred to herein as “plaintext”) is kept separate from encrypted data (referred to herein as “ciphertext”). Such separation is referred to as “red/black separation” (where “red” refers to plaintext, and “black” to ciphertext), and is necessary to ensure that sensitive plaintext information does not become available either in an application, storage device, network, or other system component in which it might be compromised. For example, where there is a security policy requirement that plaintext data is encrypted prior to transmission, storage, or the like, it is necessary to ensure that such encryption is actually performed on the plaintext data prior to the action being performed.