About
The Virtru Private Keystore (for Virtru Solutions) is an on-premise service that allows for customer-centric management of keys in a way that protects against plaintext access of the key within the Virtru SaaS. Sometimes this functionality is also referred to as a Customer Key Server (CKS).
Jump to:
High-level Overview
The Virtru Private Keystore is an on-premise service that allows for customer-centric management of keys in a way that protects against plaintext access of the key within the Virtru SaaS. In order to achieve this, the Virtru Private Keystore stores a private and public key pair to perform a process we call "Key Rewrapping". The Key Rewrapping process allows for keys stored on Virtru's servers to be retargeted for a user in a way that does not allow Virtru to access that key. The steps for the key rewrapping process are as follows:
- Virtru Private Keystore receives a Key Rewrapping request from Virtru
- The request contains the following:
- Recipient's public key to rewrap the encrypted key stored at Virtru
- The encrypted key stored at Virtru. This key was encrypted with the CKS's public key
- The request contains the following:
- Virtru Private Keystore decrypts the encrypted key to get the plaintext key
- Virtru Private Keystore encrypts the plaintext key with the public of the requesting user and responds to Virtru with this encrypted key.
Architectural Overview
From an operational perspective, the CKS is deployed as a Docker container that must be accessible to the Virtru SaaS over TLS. The suggested deployment architecture of the CKS is depicted below.
