Cloud Key management and Master Keys for Encryption in Cloud

Encryption in the cloud obviously requires encryption keys. To be really secure, you need lots of keys, a different one for each significant object (each file, each disk, and so one). But where do you put them?

If you read the literature on the web, you’ll find two options, both far from optimal:

  • let someone manage them for you, which means you have to trust that “someone” to keep your secrets
  • manage your keys back in your own data center, which means your cloud project is not purely “cloudy”

Porticor does Cloud Security differently. It’s like renting a safety deposit box from a (physical) banker. You, the customer, get one key; and the banker keeps another. That way the customer knows the banker will never peek in the box; but if the customer gets mugged, the banker won’t allow the mugger to use his key.

Porticor implements this idea for cloud encryption and cloud key management. But we do it one better – since even the “banker” does not hold any usable key by himself.

How can that be?

Generating the Master Key, Securely

Porticor VPD encrypts your data in the cloud. To do so, it generates random encryption keys in cloud. In fact, lots of random encryption keys, one for each secured “object”. One of the central features of Porticor is the advanced cloud key management system, the Porticor Virtual Key Management system, or PVKM.

PVKM takes a unique (patent pending) approach to cloud key management: the owner of a public cloud account no longer needs to place his or her secrets in the hands of the cloud provider, nor in the hands of any other provider (not even Porticor). Our customers do not have to trust the cloud provider with their secrets. They don’t even have to trust us!

And yet – and this is a big thing – they do not have to put their many keys back in their data center, either! Our customers can have a pure cloud solution, yet trust only themselves.

PVKM implements the “Swiss Banker” paradigm, by breaking the cryptographic keys into two parts, using some sophisticated mathematics. One part is stored in our high-capacity PVKM, in an encrypted form which even we cannot read.

The other part consists of a Master Key – a strong key that can be easily managed, even written on paper and stored safely in a real physical safe. Porticor never sees the Master Key. Only the customer gets to see it.

Even more, all of the many keys kept in PVKM are encrypted using math that involves (among other things) the Master Key. As a result, even Porticor has no idea of the actual values of all these keys, though we provide a fully featured management and storage facility for them.

Porticor VPD by default implements strong security, and will not write the Master Key to any physical location – it never gets written to any disk, for example.


  1. […] article is not technical, you can read a more in-depth description of our key management solution here, or download the Porticor key encryption whitepaper here. 2. While not part of the article, […]

Speak Your Mind