Volume Encryption Key Management
Different keys are involved in Encrypted File System (EFS) functionality:
- Volume Encryption Key (VEK) : The Volume encryption key ensures the data flowing between the file system and the disk is encrypted and decrypted. It is passed as input to dmsetup tool which in turn passes it to kernel dm-crypt layer which uses it for encryption/decryption of data at block level. VEK is generated using HW RNG (Random Number Generator) via PKCS#11 app.
- VEK Encryption Key : VEK Encryption key is used to encrypt and decrypt VEK. This key is derived from OEM_K1 fuse key using NIST SP800-108 Counter KDF (HMAC-SHA256) with unique derivation string and label inputs using PKCS#11 app. In later releases, VEK Encryption key will be derived from OEM_KDK0 instead of OEM_K1.