Database encryption technologies protect files, tables, columns, rows, or individual cells within a database. Sensitive information (e.g., credit card numbers, social security numbers and other sensitive or personally identifiable information) is encrypted to prevent access by unauthorized entities. Data encryption is typically performed using cryptographic software modules but the cryptographic keys are better protected using cryptographic hardware modules, also known as hardware security modules (HSM). A hardware security module (HSM) is a physical computing device that safeguards and manages cryptographic keys used for cryptographic functions (e.g., data encryption, key encryption, message authentication codes, or digital signatures within the cryptographic boundary of the HSM). An HSM may be implemented in the form of a channel plug-in card, an external cabled device, or an external networked device that communicates securely to a computer or network server.
Transaction keys, used by various systems to securely exchange data, are difficult to establish and manage. Conventional key management systems include fixed key and master key/session key (including symmetric and asymmetric master keys). Each method requires that an initial key be established using various methods including key components, key shares, or asymmetric key transport or key agreement methods. An initial key must be established with each entity that is part of the data exchange transaction. If an entity is compromised, generating and installing a new key is labor-intensive. Typically, automatic teller machines have initial keys manually installed in the field, point of sale terminals have initial keys injected at a key loading facility, and network connections might use paper key components or asymmetric keys manually installed.