| CPC H04L 9/0877 (2013.01) [G06F 21/72 (2013.01); H04L 9/0819 (2013.01); H04L 9/0897 (2013.01); G06F 21/62 (2013.01); G06F 21/81 (2013.01); H04L 9/0822 (2013.01)] | 20 Claims |
|
1. A computer-implemented method comprising:
before an event that causes a cluster of a plurality of hardware security modules to lose electrical power:
receiving, at a particular hardware security module of the cluster, a request to export a cryptographic secret used by the particular hardware security module to perform a cryptographic operation; and
in response to receiving the request to export the cryptographic secret:
using, at the particular hardware security module, a symmetric key to encrypt the cryptographic secret to yield an encrypted cryptographic secret;
requesting, at the particular hardware security module, a trusted platform module of the particular hardware security module to seal the symmetric key to yield a sealed symmetric key; and
returning the sealed symmetric key and the encrypted cryptographic secret;
after the event that causes the cluster of the plurality of hardware security modules to lose electrical power:
receiving, at the particular hardware security module, a request to import the cryptographic secret to the particular hardware security module, the request to import comprising the sealed symmetric key and the encrypted cryptographic secret; and
in response to receiving the request to import the cryptographic secret to the particular hardware security module:
requesting, at the particular hardware security module, the trusted platform module to unseal the sealed symmetric key to yield an unsealed symmetric key;
using, at the particular hardware security module, the unsealed symmetric key to decrypt the encrypted cryptographic secret to yield a decrypted cryptographic secret; and
using, at the particular hardware security module, the decrypted cryptographic secret to perform a cryptographic operation.
|