David Blewett <david@dawninglight.net> writes:
> In reading the documentation of Peter Gutmann's Cryptlib, I came
> across this section:
> "The use of crypto devices can also complicate key management, since
> keys generated or loaded into the device usually can't be extracted
> again afterwards. This is a security feature that makes external
> access to the key impossible, and works in the same way as cryptlib's
> own storing of keys inside it's security perimeter. This means that if
> you have a crypto device that supports (say) DES and RSA encryption,
> then to export an encrypted DES key from a context stored in the
> device, you need to use an RSA context also stored inside the device,
> since a context located outside the device won't have access to the
> DES context's key."
>
> I'm not familiar with how his library protects keys, but this suggests
> that it would be possible to use it as a basis for transparent
> encryption.
He's talking about hardware crypto devices, which most systems don't
have (though they're certainly available). If you don't have one of
those, then the key has to be stored in system memory.
-Doug