Data Entryption Key (DEK) encryption protocol
Each time an encryption is performed, the SDK generates a random 256-bit Data Encryption Key (DEK) using a random number generator. This DEK is then:
- Used to encrypt the data using the AES-256-GCM algorithm.
- Protected by an additional encryption key
The selected protocol defines how the DEK is protected. There are three types of protocols.
Protocol Kas
The DEK is locally wrapped using a provided public key, with encryption performed locally using the RSA-OAEP algorithm and a 4096-bit key.
The private key is stored in the KMaaS server through the KAS module. When the SDK needs to decrypt the DEK, it calls the KMaaS, which performs the decryption using the private key. Attribute-Based Access Control (ABAC) rules are enforced during this call.
The public key and KAS are set when initializing a nSdsdk instance.
Protocol Symmetric Kas
The DEK is protected using a Key Encryption Key (KEK), which is stored and managed by the KAS module of the KMaaS server.
During encryption, the SDK requests the KMaaS to encrypt the DEK. The server uses the AES-256-GCM symmetric encryption algorithm to encrypt the DEK.
During decryption, the SDK requests the server to decrypt the DEK using the KEK. Attribute-Based Access Control (ABAC) rules are enforced during this request.
KAS are configured when initializing an Sdsdk instance.
Protocol Local Symmetric Kas
The DEK is both encrypted and decrypted locally using a symmetric Key Encryption Key (KEK), with the AES-KW algorithm.
The KEK is provided when initializing an Sdsdk instance.
Summary
| Protocol | Encryption | Decryption | Encryption algorithm | ABAC |
|---|---|---|---|---|
| Kas | Offline | Online | RSA-OAEP | Yes |
| Symmetric Kas | Online | Online | AES-GCM | Yes |
| Local Symmetric Kas | Offline | Offline | AES-KW | No |