Key Management

Key management encompasses the lifecycle of cryptographic keys that protect sensitive data. Poor key management can render even strong encryption useless.

Key lifecycle:

• Generation: Creating keys using secure random generators
• Storage: Secure storage in HSMs or cloud KMS
• Distribution: Sharing keys with authorised systems
• Rotation: Regularly replacing keys
• Revocation: Disabling compromised keys
• Destruction: Securely deleting unneeded keys

Cloud key management services:

• AWS KMS: Centralised key management integrated with AWS
• Azure Key Vault: Key and secret management
• Google Cloud KMS: Key management for GCP
• HashiCorp Vault: Multi-cloud secrets management

Key management models:

• Cloud-managed: Provider generates and manages keys (simplest)
• Customer-managed (CMK): You control keys through cloud KMS
• Customer-provided (BYOK): You provide keys from your infrastructure
• HSM-backed: Keys in dedicated hardware security modules

Best practices:

• Never store keys alongside encrypted data
• Rotate keys at least annually
• Use separate keys for different data classifications
• Implement access controls on key usage
• Log all key operations for audit
• Use envelope encryption for efficiency