We utilize a master key and a key reference system to ensure the security of the key.
Master key
- The root of the key hierarchy
- Stored securely in HSM/KMS
- Used to protect other keys
- Never leaves secure hardware
- The foundation of key security system
class MasterKeySystem:
def __init__(self):
self.hsm = HSMClient()
def create_master_key(self):
# Master Key created and stored in HSM
master_key_id = self.hsm.generate_master_key()
return master_key_id
def encrypt_data_key(self, data_key):
# Encrypt actual encryption key using master key
master_key = self.hsm.get_master_key()
encrypted_key = encrypt(data_key, master_key)
# Return reference to encrypted key
return {
'key_id': generate_uuid(),
'encrypted_key': encrypted_key
}
1. Security:
- Actual keys never stored in application/database
- Keys protected by hardware security
- Limited exposure of sensitive key material
2. Management:
- Centralized key control
- Easier key rotation
- Better audit tracking
- Simplified access control
Key Reference
- Pointer/identifier to encrypted keys
- Contains metadata about the key
- Stored in database
- It doesn’t contain actual key material
- Used to track and manage keys
class KeyReferenceSystem:
def generate_data_key(self):
# 1. Generate actual data key
data_key = os.urandom(32)
# 2. Encrypt with master key
encrypted_key = self.encrypt_with_master_key(data_key)
# 3. Store reference in database
key_reference = {
'key_id': uuid.uuid4(),
'encrypted_key': encrypted_key,
'created_at': datetime.now(),
'status': 'active'
}
return key_reference
def use_key_reference(self, key_reference):
# 1. Get encrypted key from reference
encrypted_key = key_reference['encrypted_key']
# 2. Decrypt using master key from HSM
data_key = self.decrypt_with_master_key(encrypted_key)
# 3. Use key for operation but never store
return data_key
How it work
1. Key Creation:
Master Key (HSM) → Encrypts Data Key → Store Key Reference
2. Key Usage:
Get Reference → Use Master Key → Decrypt Data Key → Use → Wipe
3. Key Rotation:
New Key → Encrypt with Master → Update Reference → Retire Old
1. Database Encryption:
Master Key → TDE Key → Data Encryption
2. Application Data:
Master Key → Application Keys → Data Keys
3. Storage:
Master Key → Volume Keys → Sector Keys
class EncryptionService:
def encrypt_sensitive_data(self, data):
try:
# 1. Get key reference from database
key_ref = self.db.get_key_reference('active_key')
# 2. Get master key from HSM
master_key = self.hsm.get_master_key()
# 3. Decrypt the data key
data_key = decrypt(
key_ref['encrypted_key'],
master_key
)
# 4. Use data key to encrypt data
encrypted_data = encrypt(data, data_key)
# 5. Clear data key from memory
self.secure_wipe(data_key)
return encrypted_data
except Exception as e:
log.error(f"Encryption failed: {str(e)}")
raise
class KeyRotation:
def rotate_keys(self):
# 1. Generate new data key
new_data_key = os.urandom(32)
# 2. Encrypt with current master key
encrypted_key = self.encrypt_with_master_key(new_data_key)
# 3. Create new reference
new_reference = {
'key_id': uuid.uuid4(),
'encrypted_key': encrypted_key,
'created_at': datetime.now()
}
# 4. Update database
self.update_key_reference(new_reference)
KMS interacts with multiple-layer flow

KMS Tools
- HashiCorp Vault Enterprise
Strengths:
- Comprehensive key management
- Multi-layer encryption support
- Strong access control
- Excellent integration capabilities
- Auto key rotation
- Dynamic secrets
- API-driven
- High availability
- Disaster recovery
Layer Support:
- Application: ✓ API & SDK support
- Transport: ✓ TLS certificate management
- Database: ✓ Database credential management
- Storage: ✓ Encryption as service
- Thales CipherTrust Manager
Strengths:
- Enterprise-grade security
- FIPS 140-2 certified
- Comprehensive key lifecycle
- Multi-cloud support
- Centralized management
- Strong compliance features
Layer Support:
- Application: ✓ API integration
- Transport: ✓ SSL/TLS management
- Database: ✓ Database encryption
- Storage: ✓ Storage encryption
For example, Vault interacts with multiple-layer
