As enterprises continue their digital transformation, safe transfer of and access to information is imperative. While humans rely on usernames and passwords to prove our identity, machines rely on keys and certificates to authenticate. With the push to remote work and the explosion of IoT devices, BYODs, VMs, containers, cloud workloads and microservices, there hasn’t been a more important time to maintain secure practices for encryption key management.
Encryption key management: A primer
An encryption key management system includes generation, exchange, storage, use, destruction and replacement of encryption keys. Controlling and maintaining encryption keys is an essential part of any encryption strategy. It’s very easy for administrators to run wild and create a tangled mesh of encryption keys. And the more keys that result from this lack of control,, the more chances cybercriminal have of misusing these keys to return encrypted data to its original unencrypted state.
If administrators are storing keys locally, they may never interact with the keys directly after the initial use. Even more dangerous are cases where the encryption key is actually stored with the data, protected by a series of other keys which are still generated from passphrases.
Effective key management will separate keys from data for increased flexibility and security. When you properly secure encryption keys, administrators can still use multiple keys for the same data, the same key for multiple files, key backup and recovery, and many more choices.
Why is key management important?
Data is only good if it can be trusted. To keep data safe, it is encrypted and decrypted using encryption keys. Key management is important because it helps you keep track of the myriad number of keys floating around your environment. Whoever has those keys has access to the data, so proper key management ensures that person is you, and only you.
Types of encryption keys
There are two main types of encryption keys: symmetric and asymmetric.
Symmetric key encryption uses a single key to both encrypt and decrypt data. It is a part of the public key infrastructure (PKI) and makes it possible to transfer data securely across the internet by converting plaintext into ciphertext that is unrecognizable. With symmetric key encryption, both parties share the same key, and safety rests on the key being kept secret. While faster than asymmetric encryption, symmetric encryption is also less safe as anyone who intercepts the key can decrypt the information.
Asymmetric encryption, or public key encryption, increases security by using two different encryption keys at once; a private and a public key. This way, the private key is known only to the owner, and the public key is available to all via a publicly accessible directory. Both the public and private key are required to decode an encrypted message and ensures that even if someone did steal the public key, the private key is still needed to decrypt the message.
How encryption key management works
Creating, storing, using, and managing cryptographic keys is a multi-step process.
First, the encryption keys need to be made. Key generation is the process of creating the cryptographic key that will both encrypt and decrypt data. Keys are spun up using a key generator, or keygen. These keys are made up of distinct alpha-numeric sequences that include symmetric key algorithms like DES and AES, and public key algorithms like RSA.
Next, the keys must be stored for safety and ease of use. In key storage, a good rule of thumb is that the measures taken to secure a private or public key must be equal to the security with which you’d protect the encrypted message itself.
When finding a secure spot for your cryptographic keys, it is important that they are easily accessible and able to be shared. It is vital that you can find them, identify their owners, organize them, update them, and revoke them if needed – en masse, if possible. An automated key management solution can help with this.
The process of key revocation is handled by a CRL, or Certificate Revocation List. Should a bad actor gain entrance into your network and compromise one of your cryptographic keys, it may be necessary to revoke them all at once. And it is good security hygiene to establish rules to revoke a key and replace it with a new one prior to expiration. Expired keys present a huge liability and can lead to major data breaches.
Encryption key management systems
When it comes to key management systems, several options are available.
A Hardware Security Module (HSM) is a specialized hardware unit that performs all cryptographic functions (encrypting, decrypting, storing, generating and managing cryptographic keys) so your servers don’t have to. It is a physical key management system.
A Hosted HSM is a traditional HSM hosted within a cloud environment.
Intel Software Guard Extensions (SGX) is a set of instructions that encrypts sections of memory using security instructions native to the CPU. SGX is a type of hardware-based encryption that allows users to divide a computer's memory into enclaves, which are private, predetermined memory sections that can better safeguard sensitive data, such as encryption keys.
A virtual key management system can be downloaded from a vendor and spun up immediately in a virtual environment.
Many vendors will provide managed encryption key management on a pay-as-you-go basis. Cloud providers often offer their own encryption key management offerings, and some provide Key Management as a Service (KMaaS). While convenient, these can operate on a multi-tenant model, meaning that more than one client’s keys can be managed on the same key management instance. This may introduce some security concerns.
Encryption key management compliance and best practices
Key management is needed for compliance with Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and the General Data Protection Regulation (GDPR). Some best practices for maintaining compliance include:
- Avoid hard-coding keys
- Practice the principle of least privilege
- Use an HSM as part of your routine
- Find solutions that use automation to manage your keys at scale
- Create and enforce policies surrounding key management
- Split keys into different parts and store separately to prevent compromise
Simplify key management with Venafi
To ensure your cryptographic keys are properly configured, stored and rotated, you need an automated key management solution that can scale. The Venafi Control Plane for Machine Identities manages all cryptographic keys and machine identities across all devices, VMs, APIs, BYODs and machines within your ecosystem. Scan to audit the keys and certificates currently in your environment, then automate their rotation or revocation – individually or at once. Venafi’s automated key management solution simplifies Zero Trust by managing your entire key inventory from a centralized dashboard, anywhere on your system, at enterprise level.
(This post has been updated. It was originally published on November 18, 2022.)