Home

keywrapping

Key wrapping is a cryptographic technique used to securely encapsulate key material by encrypting it with another key, called the key-encryption key (KEK). The result is a wrapped key blob that preserves confidentiality and, in well-designed schemes, integrity during storage or transmission. The typical goal is to protect keys used for data encryption, authentication, or other cryptographic operations from disclosure or tampering.

In a standard key-wrap process, a KEK is applied to a content-encryption key or other sensitive material

Common standards and algorithms include AES Key Wrap (RFC 3394) and AES Key Wrap with Padding (RFC

Applications include securing keys at rest, protecting keys during transport between systems or components, and safeguarding

(the
CEK
or
key
material).
The
wrapping
algorithm
produces
a
structured,
opaque
blob
that
can
be
stored
or
sent.
When
needed,
a
corresponding
unwrap
operation
uses
the
same
KEK
to
recover
the
original
key
material.
Good
key
wrapping
schemes
provide
both
confidentiality
and
tamper
detection,
so
altered
wrapped
keys
are
detected
during
unwrap.
5649).
These
specify
how
the
KEK
and
the
wrapped
key
are
combined,
including
any
initialization
data
and
integrity
checks.
National
and
industry
guidelines,
such
as
NIST
SP
800-38F,
describe
recommended
practices
for
using
key
wrap
in
key
management.
While
AES
KW
is
the
most
widely
used,
other
methods
exist,
including
public-key-based
wrapping
(for
example
RSAES-OAEP)
in
hybrid
schemes
and
CMS-specific
wrap
formats.
backups.
Key
management
practices—proper
generation
and
protection
of
KEKs,
regular
rotation,
access
controls,
and
secure
storage
in
hardware
security
modules—are
essential
to
the
security
of
a
key-wrapping
solution.