Announcement

Collapse
No announcement yet.

Intel Engineers Revise Key Locker Implementation For Linux

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Intel Engineers Revise Key Locker Implementation For Linux

    Phoronix: Intel Engineers Revise Key Locker Implementation For Linux

    Going back to 2020 has been work by Intel's open-source engineers on implementing Key Locker support for Linux. Intel Key Locker allows for encrypting/decrypting data with an AES key without having access to the raw/actual key. AES keys are converted into handles with Intel Key Locker that can then be used for carrying out encryption/decryption on that system until revoked or system state changes. Intel engineers on Wednesday posted their seventh iteration of the patches for supporting Key Locker on Linux...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

  • #2
    On a practical level, are there limits on how many keys can be enrolled? Does it have a blob that is saved by the OS that contains the key material, or is it internal flash or someatt?

    Comment


    • #3
      Sounds like PKCS#11 appliance on board or CPU?
      I am too lazy to google.

      God damn it...


      Looks like some kind of hardware solution to prevent memory bleeding?(to protect private keys, etc?)

      Comment


      • #4
        Originally posted by microcode View Post
        On a practical level, are there limits on how many keys can be enrolled? Does it have a blob that is saved by the OS that contains the key material, or is it internal flash or someatt?
        From the Intel Key Locker Spec PDF:
        There is no arbitrary limit on the number of key handles that can be created. An internal wrapping key is used to create the handles, each of which is essentially an encrypted form of an underlying AES key. The internal wrapping key can be created and loaded by privileged software, or it can be randomly generated by the CPU in a way that is designed not to reveal its value to any software.‚Äč

        Comment


        • #5
          Originally posted by dimko View Post
          Sounds like PKCS#11 appliance on board or CPU?
          I am too lazy to google.

          God damn it...


          Looks like some kind of hardware solution to prevent memory bleeding?(to protect private keys, etc?)
          It's a way to minimize the risk of the AES key being leaked in memory. Normally you would have to pass the key from memory to the AES instruction to encrypt a block of data but with the key locker you basically register a AES key and then just refer to it by id when calling the AES instruction to encrypt so the window of exposure is just the time between your application acquiring/generating the key and registering it.

          Comment

          Working...
          X