On Tue, 2022-02-15 at 09:19 -0500, Yael Tzur wrote: > For availability and performance reasons master keys often need to be > released outside of a Key Management Service (KMS) to clients. It > would be beneficial to provide a mechanism where the > wrapping/unwrapping of data encryption keys (DEKs) is not dependent > on a remote call at runtime yet security is not (or only minimally) > compromised. Master keys could be securely stored in the Kernel and > be used to wrap/unwrap keys from Userspace. > > The encrypted.c class supports instantiation of encrypted keys with > either an already-encrypted key material, or by generating new key > material based on random numbers. This patch defines a new datablob > format: [<format>] <master-key name> <decrypted data length> > <decrypted data> that allows to inject and encrypt user-provided > decrypted data. The decrypted data must be hex-ascii encoded. > > Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> > Signed-off-by: Yael Tzur <yaelt@xxxxxxxxxx> Thanks, Yael. This patch is now queued in the #next-integrity-testing branch. -- thanks, Mimi
