DKEK Key Domains
A DKEK Key Domain is a group of SmartCard-HSMs where the membership in the group is established by importing one or more key shares that resemble the Key Encryption Key. DKEK Shares are under control of assigned Key Custodians, that ensure the overall security by implementing suitable key management protocol.
The Device Key Encryption Key (DKEK) is a 256-Bit AES key assembled internally by XORing one or more 256-Bit DKEK Shares, imported into the device during a key ceremony. Each key custodian keeps a single DKEK Share under his sole control. Only if all assigned key custodians collaborate, can the DKEK be assembled and a SmartCard-HSM added to a DKEK Key Domain.
There are three formats available store DKEK Shares:
- A PaperKey is a printable sequence of characters that the key custodian can enter during the key ceremony.
- A file containing the DKEK Share with password-based encryption for which only the key custodian knows the password.
- A file containing the DKEK Share with password-based encryption and a password that is split using the Shamir Shared Secret scheme for n-of-m threshold scheme.
Creating a PaperKey DKEK Share
See the Blog-Post for details.
Creating a Password Protected DKEK Share
See the Blog-Post for details.
Creating a n-of-m Protected DKEK Share
See the Blog-Post for details.