Distributed Key Management (DKM) services allow sharing of keys and other functionality. Specifically, a DKM service provides cryptographic key management services for secure data sharing amongst distributed applications (for example, as a supplement to the Windows™ DPAPI™). Some DKM systems may be specifically designed for data centers and cloud services, as well as customer computer clusters and distributed applications. Moreover, a DKM service might handle key rollover and expiration for users. But where the number of nodes in a DKM system is very large—on the order of tens of thousands of nodes—the secure distribution of DKM keys becomes a difficult problem.
Related application, U.S. application Ser. No. 12/982,235, filed on Dec. 30, 2010, and entitled “KEY MANAGEMENT USING TRUSTED PLATFORM MODULES,” describes that the security of the DKM keys is rooted in a highly-available but inefficient crypto processor called a Trusted Platform Module (TPM). Asymmetric key pairs are baked into TPMs during manufacture and include storage root keys (SRK). Working keys are stored in working memory of a computing system and are sealed by the SRKpub (the public key of the asymmetric SRK pair stored on the TPM), and the working keys are used to protect the DKM keys stored in memory.