Amazon.com, Inc.
Key export techniques

Abstract:

A computer system performs cryptographic operations as a service. The computer system is configured to allow users of the service to maintain control of their respective cryptographic material. The computer system uses inaccessible cryptographic material to encrypt a user's cryptographic material in a token that is then provided to the user. The user is unable to access a plaintext copy of the cryptographic material in the token, but can provide the token back to the service to cause the service to decrypt and use the cryptographic material.