When it comes to data security, strong encryption is essential. But encrypting data becomes useless if you don’t secure your keys. As a well-known security analyst put it, “Locking the door doesn’t do any good if the key is under the doormat where anyone can find it.”
Encryption key management helps firms keep keys safe and ensures data security and the integrity of their systems. But what exactly is encryption key management? As a discipline, it’s evolved significantly over the past decade but its basic principles remain constant.
What is encryption key management?
Encryption keys secure data and device identities by authenticating users and giving them the means to encrypt and decrypt data. Naturally, the secret keys used to keep communication and systems safe are a major target for hackers. These keys must be generated, distributed, and stored, providing multiple potential points of exposure and compromise. For example, hackers reverse engineer software to find keys stored in the application code. Or they search through the memory of running applications to discover keys as they are being used in cryptographic operations.
This means that the keys themselves must be regulated and protected. Poor practices, weak security, and human error can undo even the most complex cryptographic systems. Encryption key management puts a framework in place that mitigates possible security flaws and reduces the risk that cryptographic keys will be compromised.
There isn’t a simple answer to “what is encryption key management?” because it encompasses an entire system, mindset, and approach to key safety.
What is encryption key management used for?
Robust encryption key management covers the entire lifecycle of cryptographic keys and their protection.
The cryptographic key lifecycle includes:
- Generation of keys: Cryptographic keys need to be generated securely within a trusted system. On servers or cloud platforms this is often performed in a physically and logically secure dedicated hardware device called a Hardware Security Module (HSM). The process of securely generating keys can be extremely complex, requiring effective infrastructure and safeguards.
- Governing the distribution of keys: Deciding who is allowed to have keys and how they are transmitted.
- How keys are to be used: This concerns not only how the keys are used (e.g., symmetric keys being swapped to enable data exchange) but also the policies that ensure key security.
- Where and how keys should be stored: Centralized key storage is a major security risk. If a hacker manages to access a private or root key, they can reverse engineer it to access entire systems. This can even happen with encrypted keys. This is why host platforms often use HSMs.
- What happens to keys at the end of their lifecycle: When keys are retired, they must be disposed of correctly. Access to old or obsolete key data can allow hackers to reconstruct the key structure and attack a current system. Revocation of access and deleting of keys: Whether it’s a certificate authority or the administrator of a PKI, cryptographic systems foster trust through constant vigilance over key integrity. This means deleting compromised keys and revoking certificates from those who break compliance requirements.
By establishing clear policies and rules for how cryptographic keys are created and used, the cryptosystem maintains the integrity of the infrastructure to shield against attacks while building the trust of those who are using it.
What is encryption key management security?
Adherence to these guidelines is just one aspect of good encryption key management. To truly maintain a secure cryptosystem, the protection of the encrypted keys is essential. This includes:
- Keeping logical access limited: Especially when working with multiple partners in unsecured environments, full access to the logic and algorithms behind a cryptographic system can be compromised, making the entire system vulnerable.
- Guarding physical access: On-premises servers or devices are potential targets for criminals to steal or access information that would help them to break into a cryptosystem.
- Restricting user/role access: The number of users and levels of access correlates to cryptographic key safety. While there may be a large number of keys being used in the same cryptographic system, ensuring that access control is well-defined and maintained helps to preserve its integrity.
One of the biggest problems for cryptographic key security is that keys are often not stored securely or become visible during authentication or decryption. To eliminate this risk, Intertrust has developed whiteCryption Secure Key Box. This cryptographic library protects the foundational elements of a cryptographic system, such as encryption, key generation, and dynamic key wrapping (through import and export).
Keep your keys secure
whiteCryption Secure Key Box uses state-of-the-art white-box cryptograpy to ensure that keys are ultra-secure and are never revealed in plain form during runtime, at rest, or in transit. In all industries, data safety needs to be a primary security priority. We go further than other solutions to keep the keys to your data safe.
To learn more about threats to cryptographic keys, strategies and methods for protecting them, and how whiteCryption Secure Key Box can make your encryption key management more secure, read our white paper.
About Prateek Panda
Prateek Panda is Director of Marketing at Intertrust Technologies and leads global marketing for Intertrust’s application shielding and device identity solutions. His expertise in product marketing and product management stem from his experience as the founder of a cybersecurity company with products in the mobile application security space.