For the Crypteron managed security platform, storage is as follows:
- The encrypted DEKs are kept in a secure database. They are encrypted at-rest as well as in-transit.
- The encrypted KEKs are stored in an internal NoSQL datastore. They are encrypted at-rest as well as in-transit.
- The master elliptic curve encryption key (technically the private key for decryption) is stored on the application server inside a secured certificate vault. A long term, encrypted copy is stored on an offline encrypted volume for business continuity purposes.
For enterprise self-hosted plans, the organization controls how keys can be stored. Typically it is as follows:
- The encrypted DEKs are stored in an internal NoSQL datastore – the keychain file, which can be on the application server OR an external file or blob server. Such underlying storage can technically be be untrusted since the keychain is always encrypted.
- The elliptic curve keys are stored on the application server inside a secured certificate vault. We recommend keeping a long term encrypted copy at a secure location for business continuity purposes.