A method and system are disclosed for allowing a central processing unit (CPU) to perform signing/decryption operations securely. The system includes the CPU, which embeds an asymmetric private decryption key called CPU Decryption Key (CDK). A public key corresponding to the CDK, known as CPU Encryption Key (CEK) is published by the CPU vendor, and comes with a vendor-signed certificate. The CPU exposes two instructions - IMPORT_KEY and USE_KEY, which point to memory locations for storing decrypted keys, wrapped keys, and data. The disclosed mechanism provides a high level of security in cloud environments by providing a secure key delivery to the signer and protecting the signer. In addition, it involves low cost when compared to hardware security modules(HSM).

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.