International Association
for Cryptologic Research

We present a system for key management and protection of data at rest. At the heart of our system is a new protocol for secure key derivation, departing from the common practice of envelope encryption. Our solution adheres to existing enterprise architecture best practices and performance requirements. Our system is implemented at industrial scale, managing tens of thousands of root keys and serving thousands of server side key derivation requests per second. Our system is not only performant in terms of latency and throughput, but also offers non-trivial monetary cost reduction. The talk will present the key derivation protocol, and discuss system’s security and scalability.