|
- DEK, KEK and Master key - Information Security Stack Exchange
This article is intended to be a simplified explanation sans drill-down for people wanting to understand these concepts terms What are DEK, KEK and MEK Master key?
- How do SED drives generate the DEK? - Information Security Stack Exchange
The DEK is used to encrypt all content on the drive In the case the drive needs to be securely wiped, the DEK can simply be erased, regardless of whether or not the AK is set According to the TCG, the DEK is generated on the drive itself, rather than being generated on the computer and transferred over through some vendor-specific ATA command:
- encryption - Why not use the KEK directly to encrypt data . . .
The DEK never changes: you don't want to re-encrypt every single file, so you don't change the DEK You may want to change the KEK: if your KEK expires, got compromised, or you transfer ownership of the data to someone, you can re-encrypt the DEK with another key
- Hierarchical Key Rotation. Should I rotate the lowest level keys?
Ultimately, your DEK is the critical one - if someone has your data and your DEK then it is game over Moreover, if someone has access to your data and the DEK then rotating all the other keys won't matter Still, only you can decide whether or not it is worth the effort to rotate the DEK Hence the question: what is your threat model?
- How to process or manage Key-Encryption-Key using HSM?
1 Data-Encryption-Key (DEK) 2 Key-Encryption-Key (KEK) KEK will be securely stored in HSM, which will be encrypted using master key Data Encryption Key will be decrypted using KEK Based on the above concept, my doubts are: Do we need to send the Encrypted DEK to the HSM for decrypting it or Do we need to decrypt the KEK and retrieve it from HSM ?
- cryptography - Exchange of DEK and KEK (encryption keys) between app . . .
Exchange of DEK and KEK (encryption keys) between app server and key server Ask Question Asked 12 years, 4 months ago Modified 12 years, 4 months ago
- encryption - How to decrypt the Encrypted DEK using KEK which are . . .
Decrypting the DEK using KEK under PCI-Standards, which are separated by Servers: Let say for example we have server1 and server2 Server1: It is in East US, called it as Application Server Host
- Checking if an RSA private key is passphrase protected
The 'legacy' (OpenSSL) unencrypted format does start with MII (which is 30 82, the first two octets of all reasonable-sized ASN 1 DER SEQUENCEs, and encrypted does not, but they are also distinguished by the Proc-type and DEK-info lines which are much more obvious
|
|
|