For the Crypteron managed security platform, the key hierarchy is as follows:
- Data is encrypted by separate, versioned data encryption keys (DEKs)
- Every DEK is encrypted with key-encryption keys (KEKs)
- KEKs are encrypted by an elliptic curve master encryption key (MEK)
- KEKs are signed by another distinct elliptic curve master signing key (MSK)
- Both the MEK and MSK are based on the SECP521 NIST curve which exceeds the Department of Defense’s Top Secret requirements.
For enterprise-self hosted plans, which typically target a single application / single tenant scenario, each application gets its own elliptic curve master encryption key (MEK) and master signing key (MSK). The DEKs are stored inside a NoSQL datastore, the keychain file. The keychain file is protected by the MEK and MSK and as such is always encrypted.