1.3.1.2 ClientWrap Subprotocol

In this subprotocol, the client first retrieves the server's public key as specified in section 3.1.4.1.3. This is shown in figure 3.

Retrieving the server's public key for client-side secret wrapping

Figure 3: Retrieving the server's public key for client-side secret wrapping

The client can then use this public key to wrap any number of secrets, as specified in section 3.2.4.1. At a later time, when the client needs to access one of these secrets, the client submits the wrapped secret to the server as specified in section 3.1.4.1.4. This is shown in figure 4. The server then performs access checks to ensure that the client is authorized to receive the secret, and if the checks succeed, it returns the unwrapped secret. This process, including the access checking performed, is specified in section 3.1.4.1.4.

Recovering a client-side wrapped secret

Figure 4: Recovering a client-side wrapped secret