Generating volatile protected keys by using the pkey device driver
You can generate protected keys from random data by reading the binary sysfs pkey attributes.
About this task
You do not need a Crypto Express adapter to generate a protected key from random data.
The /sys/devices/virtual/misc/pkey/protkey directory contains an attribute for each available key type. Read an attribute to obtain a protected key token.
Procedure
Go to the protkey subdirectory. The following attributes are
available:
- protkey_aes_128
- protkey_aes_192
- protkey_aes_256
- protkey_aes_128_xts
- protkey_aes_256_xts
When reading from an attribute, you receive exactly one protected-key token. That is, for non-XTS keys, you get 80 bytes. For attributes related to the XTS cipher mode, you get two concatenated protected-key tokens, that is, you get 160 bytes.
Important: Do not use protected keys that are generated from random data to encrypt
persistent data.
Alternatively to sysfs, you can use the ioctl calls, see External programming interfaces.