Every company that uses cryptography to protect sensitive data must follow encryption key management best practices. These practices keep cryptographic keys safe throughout their lifecycle and ensure cybersecurity measures do not fall short due to a lack of proper key management.
Use Appropriate Algorithms and Key Sizes
Select the correct algorithm and key size for each encryption key. This decision depends on the use case and must account for:
- Security risks.
- Key lifespan.
- The amount and value of encrypted data.
- Performance requirements.
Depending on the use case, you can either use:
- Symmetric algorithms (such as AES).
- Asymmetric algorithms (such as RSA or ECDSA).
Symmetric algorithms are a good choice for protecting data at rest, so use this approach to keep databases safe. Asymmetric encryption is ideal for protecting data in motion, such as emails or web content. Choosing the correct key size requires balancing.
Larger keys result in more secure encryption, but key length can impact performance. Be sensible with key sizes as large keys often cause issues. For example, using the AES-256 symmetric encryption for all processes will make your system secure, but you will run into performance problems.
Rely on the Principle of Least Privilege
Employees should only have access to the keys they require to perform their duties and tasks. The same need-to-know basis also applies to apps. Ensuring only authorized users and systems can access a key helps:
- Limit the options for an attacker with a compromised key.
- Reduce the attack surface.
- Narrow the suspect pool if a breach occurs.
- Limit the risk of an insider threat.
- Prevent lateral movement between systems.
Properly authenticate users every time they access, manage, or use an encryption key. Use role-based access controls (RBAC) to restrict permissions according to each user’s specific duties.
Consider using the dual control principle (a.k.a. four eyes) for the keys responsible for vital operations, such as rotation or deletion. This practice requires two or more authorized people to approve the process before it can start.
Regular Key Rotation
Each key in your organization should have a crypto period during which a key is functional. You calculate the crypto period by accounting for two factors:
- The originator usage period (OUP): The time during which you apply cryptographic protection to a system.
- The recipient usage period (RUP): The time during which users can decrypt data with a specific key.
The two periods start concurrently and are flexible, so define the crypto period based on:
- The strength of the encryption algorithm.
- The value of encrypted data.
- Key length.
- The security risk.
- Legal regulations.
Once the crypto period expires, run a rotation to replace the old key with a new one. Limiting the amount of data you encrypt with one key reduces the risk of lost or stolen credentials. Ideally, the rotation process should be automatic to prevent human errors and free the team from repetitive tasks.
Centralize Your Encryption Key Management
A single company can rely on hundreds or even thousands of encryption keys. A centralized management platform helps organize, protect, manage, and use all those keys. A centralized platform leads to:
- Simplified management that removes the need for using a set of different tools.
- Streamlined and safe generation, storage, and distribution processes.
- Total visibility into how employees and teams use keys.
Centralized key management reduces risk, improves efficiency, and simplifies admin tasks. You can use this strategy to:
- Create policies and procedures for all key-related operations (access controls, duty segregation, split knowledge, etc.).
- Implement various automation options and eliminate manual tasks.
- Ensure a comprehensive audit log and track activities.
- Control access to valuable keys with user profiles, roles, and credentials.
- Ensure key management can scale alongside your company.
- Reduce costs by automating tasks and lowering the number of necessary staff members.
Never Hard-Code Your Keys
Including key material in source code is a significant security concern. If the code is public, an attacker has a direct way to read the key. Even if the code is private, the development team becomes a go-to target for hackers, and your attack surface needlessly increases.
As an attacker can obtain a key without compromising the management app, you can suffer completely undetected breaches. Besides introducing needless risk, hard coding a key also poses a problem for rollovers and overall cryptographic agility.
Make Full Use of Automation
Relying on manual key management is time-consuming, expensive, and prone to mistakes. Automation allows you to:
- Eliminate repetitive tasks.
- Speed up all key-related operations.
- Limit the room for human error.
- Reduce the number of required staff members.
- Clear up the team’s schedule and allow employees to focus on innovation and improvements.
- More reliably enforce security policies and log activities.
- Achieve high availability levels for keys.
Automation in key management improves processes throughout a key’s lifecycle, so consider automating the following operations:
- Generating new key pairs.
- Rotating keys at set intervals to avoid going past their crypto period.
- Backing up keys.
- Revoking access to keys.
- Destroying out-of-date or compromised keys.
Create and Enforce Company-Wide Policies
Security policies dictate how staff members and teams should store, use, and manage keys. These policies provide:
- Instructions and rules across a key’s lifecycle.
- Requirements for ensuring operational safety and compliance.
- Guidelines on what users can and cannot do with keys.
- The responsibilities for the management of cryptographic keying material.
Once you prepare your policies, run training sessions to ensure employees know what you expect from the team. A centralized platform is the most reliable method of enforcing, updating, and communicating policies.
Also, if your encryptions rely on the cloud, ensure your key management and cloud security policies align well with each other.
Store Keys on an HSM
An HSM (hardware security module) is a physical device that stores keys and enables you to perform cryptographic operations on-premises. These devices provide strong physical and logical security as stealing a key from an HSM requires an attacker to:
- Break into your facility.
- Steal the access card needed to reach the HSM.
- Take the device from the premises without being noticed.
- Bypass the encryption algorithm that protects the keys.
Relying on an HSM in the cloud is also a viable method. In that scenario, the success depends on the cloud service provider’s security levels, so always side with a reputable vendor if you choose that option.
Separate Employee Duties
Separating key management tasks is an essential practice for any security-aware organization. This strategy requires you to divide responsibilities for critical tasks between different staff members. By doing so, you:
- Limit options for intruders posing as employees.
- Minimize the potential for frauds and insider threats.
For example, you can task one person with authorizing access, another with distributing keys, and a third with creating keys. In that scenario, the user who permits access cannot steal the key during distribution or know the key’s value during the generation phase.
Safe Online and Offline Distribution
Companies should use a purpose-built secure API to safely distribute keys from the point of creation to the system or person that will use them. Consider the following:
- For online distribution, you should encrypt keys and send them over a secure Transport Layer Security (TLS)
- For offline transport, encrypt the key and split it into 2 or 3 components that are useless on their own.
Key splitting ranks high among encryption key management best practices. With this strategy, a lost component does not lead to a stolen key unless the attacker can gather other portions.
Consider using white-box cryptography for when keys arrive at their destination. White-box cryptography uses a software-based algorithm to protect keys no matter where they are or if they have hardware support.
Reliable Key Backups and Recovery
If your storage runs into an error or someone attacks it, you must have the ability to restore keys. Not being able to recover a key can lead to permanent loss of encrypted data. Ensure you have robust backups that allow you to restore lost keys quickly and reliably. Good practices include:
- Protecting backups with symmetric encryption.
- Using immutable backups to prevent data tampering.
- Backing up keys multiple times a day.
- Running periodic checks of the backup app to ensure everything works correctly.
Reliable Audit Trails
Secure, automated, and centralized logging and reporting are vital to safe and compliant key management. Good practices include:
- Keeping a complete history of each key throughout its lifecycle.
- Logging details about every interaction with the key, including the purpose, the user (person or system), accessed data, queries, and the time of usage.
- Tracking granted privileges and access levels.
- Logging successful and attempted logins.
Clean, detailed logging and reporting help with:
- Preparing compliance audits.
- Post-incident forensics.
- Understanding the mechanics of your key management.
- Finding opportunities for system improvements.
Consider integrating your key management platform with a SIEM tool to enable deeper analysis and reporting.
Never Use the Same Key for Different Purposes
Each key should only have a single purpose, such as:
- Data encryption or decryption.
- User authentication.
- Digital signatures.
- Key wrapping.
Ensure employees never use duplicate keys for different tasks.
Keep Keys Away from Encrypted Data
Never keep the key in the same database as the encrypted data. While this practice simplifies management, keeping encrypted content alongside the key for decryption enables a hacker to compromise data with a single breach.
Prepare a Robust Disaster Recovery Plan
No matter how many policies and measures you set up, something will eventually go wrong. Even if you implement all encryption key management best practices, the following incidents are still likely:
- A user will lose credentials to their key.
- Someone will accidentally send keys to the wrong person.
- A disgruntled ex-employee might delete a key.
- Hackers might break into the key storage.
- Encryption algorithms might have a flaw.
- A developer could accidentally publish a private key on a public repository.
Accidents happen, so being prepared helps mitigate the risk. Identify all possibilities and create a robust disaster recovery plan to ensure the team is ready for all scenarios.Read about cloud disaster recovery and the benefits of backing up critical data into the cloud.
Distribute Encryption and Decryption Processes
A company can run encryption and decryption processes either:
- Locally at the file, database field, or app level.
- On a single-purpose encryption server.
From a security perspective, distributing the scrambling and descrambling processes is a better option. If you set up secure key distribution, separating encryption and decryption leads to:
- Better performance.
- Lower bandwidth.
- Higher availability due to fewer points of failure.
- Better data transmissions.
Running encryption and decryption at a central server is simpler to set up, but you will likely run into performance issues. Also, if an attacker compromises the central server, your entire security infrastructure could go down.
Encryption Key Management Best Practices Keep Cryptography Safe and Healthy
Implementing the practices listed above will ensure key management does not become a weakness in your security strategy. Use strong policies, robust access controls, and centralization to protect and stay in control of your encryption keys.