I initially resisted implementing Black Keys due to the lack of secure memory on the Pi, but I have bitten the bullet and done so. My reasoning is that at worse it is no more secure than not using key encryption, and at best does improve system security.
The Black Key implementation uses Public Key Infrastructure. A Locked device can be created with a Private Key written to the SD card. Each device has its own Private Key. This Private Key can be encrypted with a Crypto Ignition Key which is written to a USB Drive or SD Card. It will be required to insert this Crypto Ignition Key into the Crypto Voice Module in order to decrypt the Private Key. If this is not done the Crypto Voice Module will be unable to decrypt Black keys.
Unencrypted (Red) keys are then encrypted by the corresponding device Public Key to produce the Black Key. The Black Keys can then be written to a SD Card or USB Drive or served over Ethernet. If a device is compromised the Public Key can be removed from the Key Fill/Generator device, and it will no longer be able to receive Keys.
A dedicated Key Fill device type was also added as part of this release. A Key Fill device does not need to have USB audio devices attached and can be used to generate keys and serve them to Crypto Voice Modules or other Key Fill devices using the Pi's Ethernet adapter. This Ethernet-based Key Fill does not require any Ethernet infrastructure such as switches or routers and can be done by directly connecting a Crypto Voice module to a Key Fill device using a simple Ethernet cable. The Ethernet-based Key Fill can only serve Black Keys.