What is the KEK - key encryption key?
What are DEK, KEK and MEK/Master key?
Secure Storage
- DEK: Data Encryption Key
- KEK: Key Encryption Key
Master Key: Generally will describe one of the two above keys. Depending on the scheme in which it is implemented. This type of encryption scheme is often used for secure storage. Microsoft Windows is known to use this type of encryption scheme to protect user credentials and other types of data that are secured for a user. Microsoft generates a Key Encryption Key using the user's password. This KEK is then used to encrypt what they call the Master Key. The Master Key is really a Data Encryption Key. It will be used to encrypt any data that is put in the user's protected storage. Key management for Full Disk Encryption will also work the same way. The FDE software will randomly generate a DEK, then use the user's password/keyfile/smart card to create a KEK in order to encrypt the DEK. This mechanism allows the user to change their password without having to decrypt and re-encrypt the entire volume. Instead, the DEK is just re-encrypted with the new KEK.
Secure Protocols Master keys as you hear them used in SSL/TLS or SSH are different. Generally speaking the shared secret will be mixed with a secure algorithm so that both parties can generate a Master Key. The Master Key is then used to generate the Encryption Keys, Integrity Keys, and Initialization Vectors for both sides of communication. Here is how those keys are derived for SSL/TLS.