Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

The Derby Database supports encryption with a key or password. Traditionally thi

ID: 659246 • Letter: T

Question

The Derby Database supports encryption with a key or password. Traditionally this key is stored in the file systems, now I am looking to store and protect this key in the HSM instead, but I couldn't figure out how I should be doing it.

1. The most simplest approach seems to be just putting the key itself into the HSM? Then on server startup, the application will query the HSM for the key, use it to boot the Derby database, and then discard the key. However, I have read that it seems ineffective because the key can then be simply extracted, but I do not really understand what's the security issue with this appraoch, is this the approach that I should be taking?

2. The second way that I read about is hybrid encryption, but I am not really sure whether it is applicable to my case. I will generate a symmetric key, then generate a keypair in the HSM. Then I will use the Public Key from the HSM to encrypt the symmetric key and store it locally in the file system. On server start up, I will pass this encrypted symmetric key to the HSM to decrypt it using the unextractable Private Key. Is there any merits using this approach or its overkill for this purpose?

From the way I understand, most of the usage of HSM revolves around having different senders (encrypt) and receivers (decrypt), hence the use of KeyPairs instead of symmetric keys?

Explanation / Answer

You can use the HSM to store and manage your keys but you should also be able to use the HSM to perform encrypt and decrypt functions on behalf of your database or application. It depends on the functionality available on the HSM you have or are considering using. Here are a some examples of how you could use it:

1) Store a symmetric encryption key within the HSM. Your application/database can request this key from the HSM and use if for encryption and decryption operations. This means the key will leave the HSM and be available in clear text in memory to do its work. This key will be vulnerable to memory scraping.

2) Store a symmetric encryption key within the HSM. You application/database can send data to the HSM to be encrypted or decrypted. In this case the key never leaves the HSM.

3) Store a symmetric or asymmetric encryption key within the HSM. Use this encryption key to encrypt your Data Encryption Key (DEK). Store this cryptogram wherever you want. Request the Key Encrypting Key (KEK) from the HSM to decrypt your DEK and use your DEK for encryption/decryption operations.

Related Questions

The Denver Post reported that, on average, a large shopping center had an incide
Question #3336486
The Denver Post reported that, on average, a large shopping center had an incide
Question #3336874
The Denver Post stated that 70% of all new products introduced in grocery stores
Question #3180545
The Denver advertising agency promoting the new Breem dishwashing detergent want
Question #422613
The Department also wants to know how well lengths (sizes of objects) and distan
Question #3279030
The Department of Agriculture wants to estimate the number of acres oriented in
Question #3318239
The Department of Chemistry, TAMUK General Chemistry Exam 9 Your favorite candy
Question #500676
The Department of Computer Science and Information Technology Midterm -CSCI 311-
Question #3590884
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
The Depth Gauge Problem Liquids are often stored in elliptical storage tanks as
Next
The Desain water plant bottles purified and flavored waters in a variety of size

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.