KeyMe Pass

KeyMe Pass

Download
Security2025-01-158 min

KeyMe Pass Double-Layer Encryption Architecture: Why Your Data is So Secure

Learn about KeyMe Pass's KEK/DEK double-layer encryption architecture and understand why even the server cannot access your data.

What is Double-Layer Encryption Architecture?

KeyMe Pass uses the industry-leading KEK/DEK double-layer encryption architecture, a proven security design pattern widely used in banking, government agencies, and major tech companies.

The Relationship Between KEK and DEK

In KeyMe Pass's encryption architecture:

  • KEK (Key Encryption Key): The key encryption key, derived from your PIN. KEK is used to encrypt and decrypt DEK, but is never directly used to encrypt data.
  • DEK (Data Encryption Key): The data encryption key, the actual key used to encrypt all your data. DEK is randomly generated and unique to each user.

Why Do We Need Double-Layer Encryption?

The core advantages of double-layer encryption architecture:

  1. Key Separation: Even if an attacker obtains the encrypted DEK, they cannot decrypt it without the KEK.
  2. Flexible Updates: When you change your PIN, you only need to re-encrypt the DEK with the new KEK, without re-encrypting all data.
  3. Multi-Layer Protection: Supports both PIN and biometric authentication, but both are based on the same DEK.

Detailed Encryption Process

When you first use KeyMe Pass:

  1. The system randomly generates a 32-byte DEK
  2. The KEK is derived from your PIN through KDF (Key Derivation Function)
  3. The DEK is encrypted with the KEK and stored on your device
  4. The DEK encrypts all passwords, IDs, and other sensitive data

Security Guarantees

KeyMe Pass's double-layer encryption architecture ensures:

  • Zero Server Trust: Even if data is stored on a server, the server cannot decrypt it because the DEK is only stored on your device
  • PIN Protection: Without the correct PIN, you cannot derive the KEK, and thus cannot decrypt the DEK
  • Biometric Enhancement: Biometrics provide convenience, but security is still based on the PIN
  • Standard Compliant: Uses AES-256 encryption, the standard trusted by governments and banks worldwide

Conclusion

KeyMe Pass's double-layer encryption architecture is not a marketing gimmick, but a rigorously designed and verified security solution. It ensures that even the most sensitive data receives the highest level of protection. Your password is your key, and only you have it.