How can you design and implement the KMS in such a way that it runs in a trusted execution environment (TEE)? A TEE runs code in an enclave, where even an administrator in the normal, rich execution environment does not have access. Therefore, even if a malicious actor has gained access to the system where the KMS is running, they shall not have access to any information, and in particular the secrets, in the secure enclave. A common problem with secure enclaves is how to get secrets into them initially. The feasibility of using the code in the TEE to e.g., terminate TLS connections, or access the TPM, is also something that shall be investigated. Finally, in case of a distrubted KMS with multiple nodes, an administrator shall ideally only have to provide the initial secret to one node, and subsequent nodes should be able to receive the secret from unsealed nodes in a secure manner.
Contact: Mathias Björkqvist (M.A.Bjorkqvist@hhs.nl)