Creating, using, and managing protected cryptography keys

Abstract

System, method, and apparatus embodiments for creating, using, and managing protected cryptography keys are described. In an embodiment, an apparatus includes a decoder, an execution unit, and a cache. The decoder is to decode a single instruction into a decoded single instruction, the single instruction having a first source operand to specify encrypted data and a second source operand to specify a handle including a first including ciphertext of an encryption key, an integrity tag, and additional authentication data. The execution unit is to execute the decoded single instruction to perform a first check of the integrity tag against the ciphertext and the additional authentication data for any modification to the ciphertext or the additional authentication data, perform a second check of a current request against one or more restrictions specified by the additional authentication data of the handle, decrypt the ciphertext to generate an encryption key only when the first check indicates no modification to the ciphertext or the additional authentication data and the second check indicates the one or more restrictions are not violated, decrypt the encrypted data with the encryption key to generate unencrypted data, and provide the unencrypted data as a result of the single instruction. The cache is to store the handle, wherein only a portion of the integrity tag is to be used in a lookup of the handle.