Methods and systems for unified HSM and key management services are disclosed. According to certain embodiments, an encryption service request is issued by a client instance to a key management service (KMS) logic in a KMS cloud instance. The KMS logic parses the request to verify authorization for the request, identify the instance ID, and provide additional information to the request needed by hardware security management (HSM) middleware and hardware. A router receives the request from the KMS logic and routes the request to a service based on the instance ID, that transfers the request to HSM middleware. The HSM middleware parses HSM type from the request, translates the request to HSM vendor-specific instructions and routes the translated request to an HSM. The HSM according to certain embodiments is in a cloud computing environment separate from the KMS cloud instance, and in some embodiments the HSM is on-prem at a physical client site.

The techniques described herein enable a virtual private network (VPN) gateway to select a VPN connection, from multiple VPN connections established between a network VPN gateway and a remote VPN gateway, based on performance factors such as throughput. A system may measure throughput in megabytes per second (Mbps). More specifically, a VPN gateway (e.g., a remote VPN gateway or a network VPN gateway) can configure a routing preference that selects a VPN connection that is more performant based on a cryptographic algorithm that is used for the VPN connection. The VPN gateway can update the routing preference to select an alternative VPN connection when the performance of the VPN connection suffers.

A method for secure file transmission comprises: encrypting a file using a location key system having multi-part keys; generating an identification for the encrypted file; transmitting the identification from a sender to a recipient; transmitting a public key from the recipient to the sender; generating, by M of N devices of a set of devices associated with the sender, its respective partial secret for the encrypted file and encrypting respective partial shared secrets with the public key; transmitting, by the sender, the encrypted file and encrypted partial shared secrets to the recipient; decrypting, by the recipient, the received encrypted partial shared secrets; combining the decrypted partial shared secrets with a threshold scheme; and decrypting the encrypted file using the combined secrets.

A method of providing secure communication between first and second devices comprises the first device and the second device connecting to a server via a secure communication channel. Encryption keys for the devices are generated and data relating to the encryption keys are exchanged via the server in the secure communication channel. A peer-to-peer connection for exchanging data is generated using encrypted connection information for the devices.

Certificate and key management is provided. A signed certificate corresponding to an enterprise is deployed to a plurality of cryptographic communication protocol endpoint proxies located in a heterogeneous distributed computing environment where a private key corresponding to the enterprise is not placed in any of the plurality of cryptographic communication protocol endpoint proxies. Offload of cryptographic communications from the plurality of cryptographic communication protocol endpoint proxies to the hardware security module is received by the hardware security module where the hardware security module verifies connection authenticity for the plurality of cryptographic communication protocol endpoint proxies across the heterogeneous distributed computing environment using the private key corresponding to the enterprise that remains within a security boundary of the hardware security module.

In some examples, an example method to provide an IPsec anti-replay window with quality of service (QoS) at a first network endpoint may include configuring a multiple number of anti-replay windows, generating a first security association (SA), and establishing the first SA with a second network endpoint. The first SA may include a first multiple number of security parameter indexes (SPIs), where each of the first multiple number of SPIs may be assigned to a specific QoS level, and each of the first multiple number of SPIs may be assigned to one of the multiple number of anti-replay windows. Establishing the first SA with the second network endpoint may include assigning the first SA to a first encryption key, and providing the first encryption key to the second network endpoint.

An apparatus includes a packet encryption circuit that uses an encryption keys to encrypt each of two or more portions of a data packet. Each portion is encrypted with a different encryption key and includes one or more layers of the data packet. A first portion includes a layer of the data packet with MAC information. The apparatus includes a packet transmitter that transmits, from a source router, an encrypted data packet to an intermediate router between the source router and a destination router. The encrypted data packet includes an encrypted version of the data packet encrypted using the encryption keys. The intermediate router has encryption keys sufficient for a service level agreement of the intermediate router and lacks a portion of the encryption keys. The source and destination routers use a MAC security standard for encryption and decryption of the data packet using the encryption keys.

Example methods and computer systems for receive-side processing for encapsulated encrypted packets. One example may comprise: in response to receiving, over a tunnel, a first encapsulated encrypted packet that includes a first encrypted inner packet and a first outer header, generating a first decrypted inner packet by performing decryption and decapsulation; and based on content of the first decrypted inner packet, assigning the first decrypted inner packet to a first processing unit. The method may further comprise: in response to receiving, over the tunnel, a second encapsulated encrypted packet that includes a second encrypted inner packet and a second outer header, generating a second decrypted inner packet by performing decryption and decapsulation; and based on content of the second decrypted inner packet, assigning the second decrypted inner packet to a second processing unit, thereby distributing post-cryptography processing over multiple processing units.

A proxy device coupled to a network receives communications between a client and a server on the network. The proxy device operates transparently to the client and the server, while coupled to receive and process the communications from a node on the network via a network port in a one-armed configuration. The proxy device communicates packets of the communications with an external tool coupled to the proxy device via a tool port and operates transparently to the nod and the tool. In certain embodiments, the tool may be a network security device, such as a firewall.

Methods and systems for controlling access to secure data use a custodial TRNG disk. Source data is encrypted using first key data from a first TRNG disk to generate encrypted data which is stored at a first location by a first entity. A second TRNG disk has second key data which is stored at a second location by a second entity. A first TRNG disk copy and a second TRNG disk copy are made identical to the first TRNG disk and the second TRNG disk, respectively, and are stored at one or more locations by a custodial entity. The first key data and the second key data are encoded together, and then transmitted to one or more of the first or second entities. The first quantity of encrypted data is decryptable using the encoded first key data and the second key data.