Hsmdaemon: Add encrypt masterkey command as an option #101
Description
Idea:
With hsm there are actually two ways of implementing encryption:
- use the hsm to decrypt file individual keys
- use the hsm to decrypt the master key, keep it in memory (maybe even cache it with apcu), do file encryption internally
The current implementation does the former. But we already ran into cases where every decrypt operation had to be paid for. In those cases the idea is to protect against the key being stored physically on the same machine. And the tradeof of storing it in memory vs keeping it out of the machine is driven by cost factors.
Reference/Origin of the idea -> #90 (comment)