A method and apparatus for providing user key material from a server to a client is disclosed. The method comprises receiving a first message from the client in a server, the first message having a user key material request, an access token and an identifier of a transport key (TrK-ID), validating the user key material request according to the access token, generating a response having user key material responsive to the user key material request, encrypting the response according to the transport key (TrK), and transmitting a second message comprising the response from the server to the client. The client decrypts the second message according to the transport key (TrK) and validates the second message using the identifier of the transport key (TrK-ID).

An indication that a secure connection has been established with a key management service is received. The secure connection is associated with an automatically generated session encryption key utilized for encryption of data communication through the secure connection. In response to the indication that the secure connection has been established with the key management service, a determination is made to perform a rotation of a local encryption key utilized in encrypting locally stored data. The rotation of the local encryption key is performed based at least in part on the automatically generated session encryption key.

Methods and systems for remote dynamic isolation of IoT devices are provided. One system includes a first IoT device and a second IoT device configured with an active communication channel with the first IoT device and a role certificate. An operator device is configured to interact with a distributed ledger to issue and revoke role certificates for a plurality of devices including the first IoT device and the second IoT device. The first IoT device periodically validates a role certificate proof received from the second IoT device with an entry of the role certificate proof recorded on the distributed ledger.

Methods and systems for unified HSM and key management services are disclosed. According to certain embodiments, an encryption service request is issued by a client instance to a key management service (KMS) logic in a KMS cloud instance. The KMS logic parses the request to verify authorization for the request, identify the instance ID, and provide additional information to the request needed by hardware security management (HSM) middleware and hardware. A router receives the request from the KMS logic and routes the request to a service based on the instance ID, that transfers the request to HSM middleware. The HSM middleware parses HSM type from the request, translates the request to HSM vendor-specific instructions and routes the translated request to an HSM. The HSM according to certain embodiments is in a cloud computing environment separate from the KMS cloud instance, and in some embodiments the HSM is on-prem at a physical client site.

A key management apparatus receives a key request including a first device identification information and a second device identification information, encrypts a common key using the first device identification information to generate a first encrypted common key, encrypts the common key using the second device identification information to generate a second encrypted common key, and transmits a key response including the first encrypted common key and the second encrypted common key. A first device receives the key response, decrypts the first encrypted common key using the first device identification information to obtain the common key, and transmits the second encrypted common key. A second device receives the second encrypted common key and decrypts the second encrypted common key using the second device identification information to obtain the common key.

A key master service capable of operating on a service provider in a network enables is disclosed. The key master enables authorized parties to securely exchange client information without compromising client security. One feature of the key master service is the generation of a unique key for each client. All parties in an authorized universe access, exchange and modify client information by referencing the universal key, rather than using known client identifiers. Client information is further secured by advantageously applying an obfuscation function to the data. Obfuscated client information is stored together with the universal key as keyed client data at the client and/or server, where it may be directly accessed by the service provider or third parties. Because client information is stored and exchanged without the ability to discern either the client identity or the nature of the information, such information is secured against malicious third-party interception.

A path for a node of a computing environment is secured. The securing includes obtaining, by the node, a message that includes an identifier of a shared key and an encrypted message. The node obtains the shared key from a key server and uses it to decrypt the encrypted message to obtain an encryption key and one or more parameters. A security parameters index to be associated with the encryption key and the one or more parameters is obtained. The node sends a response message to another node, the response message including the security parameters index.

An apparatus in one embodiment comprises at least one processing device comprising a processor coupled to a memory. The at least one processing device is configured to receive in a storage system, from a host device, an identifier of an encryption-enabled logical storage device of the storage system, to utilize the identifier to obtain in the storage system a device-specific key from a key management server external to the storage system, and to utilize the obtained device-specific key to process input-output operations directed to the encryption-enabled logical storage device from the host device. The host device in some embodiments comprises at least one virtual machine and the encryption-enabled logical storage device comprises a virtual storage volume of the at least one virtual machine. Metadata associated with the virtual storage volume illustratively comprises an encryption status indicator specifying whether or not encryption is enabled for the virtual storage volume.

An integrated infrastructure secure communication system includes at least one chassis, and a plurality of computing devices that are located in the at least one chassis and that are coupled to each other. A first computing device included in the plurality of computing device receives a communication from a first component in the first computing device, retrieves a vendor-based key, and encrypts the communication using the vendor-based key to provide a first-level encrypted communication. The first computing device also generates a first random key, encrypts the first-level encrypted communication with the first random key to provide a second-level encrypted communication, and transmits the second-level encrypted communication to a second computing device that is included in the plurality of computing devices.

A system and method for signing and authenticating electronic documents using public key cryptography applied by one or more server computer clusters operated in a trustworthy manner, which may act in cooperation with trusted components controlled and operated by the signer. The system employs a presentation authority for presenting an unsigned copy of an electronic document to a signing party and a signature authority for controlling a process for affixing an electronic signature to the unsigned document to create a signed electronic document. The system provides an applet for a signing party's computer that communicates with the signature authority.