Encryption of VEK

The diagram below shows Encryption of VEK using PKCS#11 app. It includes following steps:

1. App passes VEK and Key derivation Strings to PKCS#11 library via their APIs.

2. PKCS#11 Library talks to TOS to derive VEK Encryption key based on key derivation Strings input.

3. PKCS#11 Library talks to SE Server to encrypt the VEK and returns Encrypted VEK.

4. App stores the Encrypted VEK in the filesystem (/etc/nvidia/efs/)

• Decryption of VEK and Use by dm-crypt