Abstract: A method for transforming a wrapped key token into a protected key may be provided. The protected key is protected by a volatile master key kept in the firmware of a virtual server. The method comprises creating an isolated virtual server that maintains a master key. The virtual server and the isolated virtual server share parts of same hypervisor's firmware. The method further comprises configuring an association—using a shared secret—between the virtual server and the isolated virtual server. The method further comprises establishing a secure communication channel between the virtual server and the isolated virtual server, based on the secret, and providing to the virtual server the wrapped key token comprising a random key wrapped by the isolated virtual server master key, and providing to the virtual server, in response to submitting the wrapped key token, via a second service, the protected key.

Abstract: A method for transforming a wrapped key token into a protected key may be provided. The protected key is protected by a volatile master key kept in the firmware of a virtual server. The method comprises creating an isolated virtual server that maintains a master key. The virtual server and the isolated virtual server share parts of same hypervisor's firmware. The method further comprises configuring an association—using a shared secret—between the virtual server and the isolated virtual server. The method further comprises establishing a secure communication channel between the virtual server and the isolated virtual server, based on the secret, and providing to the virtual server the wrapped key token comprising a random key wrapped by the isolated virtual server master key, and providing to the virtual server, in response to submitting the wrapped key token, via a second service, the protected key.