On Mon, Feb 21, 2022 at 12:11:22AM -0500, Mimi Zohar wrote: > On Tue, 2022-02-15 at 09:19 -0500, Yael Tzur wrote: > > For availability and performance reasons master keys often need to be > > released outside of a Key Management Service (KMS) to clients. It > > would be beneficial to provide a mechanism where the > > wrapping/unwrapping of data encryption keys (DEKs) is not dependent > > on a remote call at runtime yet security is not (or only minimally) > > compromised. Master keys could be securely stored in the Kernel and > > be used to wrap/unwrap keys from Userspace. > > > > The encrypted.c class supports instantiation of encrypted keys with > > either an already-encrypted key material, or by generating new key > > material based on random numbers. This patch defines a new datablob > > format: [<format>] <master-key name> <decrypted data length> > > <decrypted data> that allows to inject and encrypt user-provided > > decrypted data. The decrypted data must be hex-ascii encoded. > > > > Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> > > Signed-off-by: Yael Tzur <yaelt@xxxxxxxxxx> > > Thanks, Yael. > > This patch is now queued in the #next-integrity-testing branch. > > -- > thanks, > > Mimi > Reviewed-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx> BR, Jarkko