Supporting two models for encrypting data = Alliance Key Manager
Traditional encryption key retrieval with local encryption is when you retrieve the encryption key from the hardware security module (HSM) key server and use it with your own local encryption library to encrypt or decrypt data. The encryption key is transmitted securely from the key manager to your application, your application uses the key as long as it needs to, and then destroys that key.
On-board encryption is where you can send the data to the server, along with the name of the encryption key, and ask the server to encrypt or decrypt the data. In this case you never retrieve the encryption key, you actually send the data to the HSM device encrypted or decrypted, the encryption takes place on board actually within the hardware security module (the key manager itself), and you get the results sent back securely to your application.
When would you typically choose to do on-board encryption rather than retrieve the encryption key and then do encryption locally?
- Vulnerable client applications - you would want to use onboard encryption when you have more risk in an exposed environment (web application or ATM or kiosk), that way the encryption key (which is the secret you're trying to protect) remains within the HSM and never leaves it.
- Amount of data to be encrypted is small - Small chunks of data, such as credit card numbers, Social Security numbers, e-mail addresses, etc., are prime examples of things you can use onboard encryption for effectively.
- If you don’t have encryption library - if you're working with an embedded system and you have a small amount of resources on your application side.
When should you not use onboard encryption for applications?
- When you have large amounts of data it is best to retrieve an encryption key and perform the encryption locally.
How does Townsend Security’s encryption key manager, Alliance Key Manager, implement on-board encryption?
- Your application will launch and create a secure encrypted TLS connection to Alliance Key Manager. There is an authentication mechanism that requires you to have a proper certificate and private key.
- When that connection is open and authenticated, you send the data that you want encrypted and the name of the encryption key to be used to the key manager HSM.
- Once the encryption is complete and the key manager sends data back to your application over the same secure channel, the connection can then be torn down.
Once a developer has decided to use onboard encryption with Alliance Key Manager what do they need?
There are three mechanisms that we deploy to make it a straightforward and simple process for developers use on-board encryption or key retrieval.
- First we provide some software libraries, dynamic link libraries, in Windows or .NET assemblies or LINUX of shared libraries that can be used out of the box to perform these kind of tasks. These software libraries are on our AKM supplemental CD image and are free to use.
- We also provide actual sample source code, that can be used as a starting point for an on-board encryption or traditional encryption key retrieval project.
- We also provide purpose built applications that are ready to use out of the box to implement onboard encryption (typically by a configuration option when our software is installed).
For more information this brief video will talk about traditional encryption key retrieval versus onboard encryption services on the Alliance Key Manager device:
- When you want to use, or avoid using, onboard encryption
- Practical guidelines on how Alliance Key Manager implements the encryption service
- How your applications will actually use either key retrieval or onboard encryption
- Some performance and connection issues, and then
- We'll point you to some resources that might be helpful as you do your project