Methods and systems are described for enhanced-security database encryption via cryptographic software, where key management is carried out, without exporting or exposing cleartext keys, using an independent key manager coupled to a cryptographic hardware security module (HSM). A database encryption key management system is part of an HSM. A key manager circuit of the database encryption key management system generates a master key encryption key and stores it in the HSM. The key manager circuit generates an HMAC key and encrypts the HMAC key using the master key encryption key to generate a HMAC key cryptogram. The interface circuit of the database encryption key management system transmits the HMAC key cryptogram to a database server, which independently generates and stores a unique identifier. The HSM deletes the HMAC key from its storage media. The key manager circuit receives the HMAC key cryptogram and the unique identifier, decrypts the HMAC key cryptogram to obtain the HMAC key and, based at least on the HMAC key and the unique identifier, generates an HMAC. The interface circuit transmits the HMAC to the database server, which derives a database encryption key (DEK) using the HMAC as an input to a key derivation algorithm. The database encryption key resides in volatile memory of the database server. The master key encryption key resides within the HSM.
展开▼
