1. Field of the Invention
This invention relates generally to secure data transmission, and particularly to a method, system, and computer program product for encryption key management in a secure processor vault.
2. Description of Background
Secure data transmission, for example, via the internet or wireless communications networks, is important in many applications, including enterprise uses (e.g., by financial organizations, retailers, etc.), high-performance computing uses (e.g., by government entities, national laboratories, etc.), and small business or consumer uses (e.g., by online game providers and players). A popular approach to secure data transmission is encryption of the data for transmission between trusted devices (e.g., computers), which are equipped with information (or “keys”) to encrypt and/or decrypt the data for use in programs. Furthermore, in addition to encryption, an approach of isolating the program using the secure data (e.g., an account access, information management, or game program) from other programs on a trusted device is also popular. Typically, these approaches are accomplished through software (e.g., by other programs).
An improved approach for program isolation has emerged that utilizes hardware (e.g., a multi-core computer processing unit) to overcome vulnerabilities of software to data security attacks. For example, where software can be compromised (e.g., by a virus, hacking, or other undesirable activity) to gain access to secure data on a trusted device, hardware can be configured as a virtual “vault” that is immune to such attacks. In this approach, the encryption keys are stored in the vault, data that is pre-encrypted by the keys can enter the vault for decryption and manipulation by the isolated program, and data that is encrypted (or re-encrypted) by the keys can leave the vault for transmission to other trusted devices. However, it is desirable to utilize the improved security benefits of the hardware vault for so-called public key programs that do not have access to the “private” keys isolated in the vault to pre-encrypt data for entry into the vault.