Untitled :: MTG Documentation

Glossary

DEK (data encryption key): the AES-256 in-memory key that is used to encrypt the actual application-specific data.
Protected DEK: the DEK, protected with a master key using one of the available protection strategies.
Master key: a master key that is used to protect a DEK.

Depending on the configured protection strategy, this will be either an AES-256 key (for the ENCRYPTION protection strategy) or a BRAINPOOLP256R1 EC keypair (for the KEY_PROTECTION protection strategy).

Depending on the configured HSM type, this will be either an HSM key (for the [UTIMACO, LUNA_SA, PKCS11]), or a keystore (.bcfks) file (for the KEYSTORE HSM type).

Multiple master keys may exist for the same DEK, in which case each of them can be used to independently unprotect it. This serves the purpose of enabling back-ups and ensuring availability of the DEK.