A method of providing cryptographic information and flow control includes
first determining a target domain from an IP address. An organization
policy is looked up from a credential store, and an algorithm and
credentials specified for the target domain are looked up in a
domain-credential map. Any further credentials that are provided and that
are permitted by the organizational policy are added. A working key is
then generated, and information is received in the form of a receive
packet. Any packet header is stripped from the receive packet and the
remaining data is encrypted. Key splits are retrieved from the credential
store, and are combined to form a key-encrypting key. The working key is
the encrypted with the key-encrypting key, and a CKM header is encrypted.
The encrypted CKM header is concatenated to the beginning of the
encrypted data to form transmit data, and the packet header and the
transmit data are concatenated to form a transmit packet. The transmit
packet is then provided to a network interface card for transmission on a
network.