Understanding encryption key management

Encryption keys are a bedrock concept in cryptography. If they’re not well-protected, you risk exposing your sensitive data resources to unauthorized access and exposure.

Read on to learn all you need to know about encryption key management, including what it is, why it’s important, and how you can improve your cryptographic ecosystem today.

Encryption key management refers to the policies and procedures for generating, distributing, storing, organizing, and protecting cryptographic keys.

In short, a cryptographic key is a data string. That string contains random characters in a particular order. Each one is paired with a cryptographic algorithm, which is a mathematical formula that serves a certain purpose, such as generating a digital signature for authentication. However, most keys are used for encryption.

What is encryption?

Encryption is a cryptographic operation that converts plaintext into ciphertext, thereby securing sensitive data and rendering it unreadable. The encrypted data can only be made readable again if the entity attempting to access the information has the requisite cryptographic keys to decode the ciphertext. This inverse process is what’s known as decryption.

In cryptography, there are two main types of encryption keys: symmetric and asymmetric.

• Symmetric key encryption uses the same master key for data encryption and decryption. Both parties share the same symmetric key, which means they’re responsible for keeping it secret. Although it’s faster than asymmetric cryptography, it’s much less secure because anyone who gets a hold of the master key can access the information. 
• Asymmetric key encryption, also known as public key encryption, uses a system called “public key infrastructure” (PKI), which involves two mathematically linked encryption keys. The public key encrypts data and can be freely distributed, while the private key must be kept secret. It’s a longer process but offers much stronger data protection, as you need both to decrypt the message.

For more information, check out our comprehensive guide to encryption.

What secrets management?

Secrets management is a discipline that involves securely storing, accessing, and managing digital authentication credentials — otherwise known as “secrets.”

The name refers to the types of sensitive information organizations must keep confidential because they permit or protect access to critical IT resources, such as computers, databases, or cloud applications. In addition to encryption keys, secrets can include:

• Passwords
• Application programming interface (API) keys
• Secure Shell (SSH) keys
• Open Authorization (OAuth) tokens
• Private certificates

How is this different from encryption key management? Think of managing secrets as a broader practice encompassing a wider range of information. Both are critical to data security and overlap to a degree, but key management is specifically focused on protecting encryption keys throughout their lifecycle.

Encryption is a vital asset in enterprise data security. By obscuring and scrambling sensitive data, it protects organizations from economic and reputational damage, not to mention legal and regulatory trouble. However, encryption is only as good as the degree to which its associated keys are protected.

Consider encryption the lock on your front door. It’s made to protect your prized possessions, but it can only do so if you adequately protect the key. For example, leaving the key under your doormat defeats the protection your lock provides.

Bottom line: There’s no point encrypting data if you don’t secure the encryption keys. They underpin the entire process, which is why key management is an absolute must-have for any enterprise.

Challenges of encryption key management

Unfortunately, many organizations have trouble keeping their cryptographic keys in check. It’s not uncommon for hackers to get ahold of them — and in turn, access to sensitive information systems.

For example, in July 2023 a China-backed cybercrime group stole a cryptographic key from Microsoft. This allowed them to access Outlook email systems for 25 organizations, including U.S. government agencies. The company later disclosed a series of oversights that led to the breach.

Indeed, managing keys is a complicated endeavor for several reasons:

• Manual processes are prone to error and can result in devastating consequences.
• Attackers who gain control of a key management system can issue credentials that make them an insider, potentially with privileges to access systems undetected.
• Compromised key management processes result in the need to reissue credentials, which can be an expensive and time-consuming process — especially if you’re working by hand.
• Credential validation rates can vary enormously and can easily outpace the performance characteristics of a key management system, risking business continuity.
• Business application owners’ expectations around security and trust models are rising and can expose credential management as a weak link that may jeopardize compliance claims.

Effective key management involves two primary components:

• Lifecycle management: Creating, maintaining, protecting, and deleting cryptographic keys.
• Access management: Ensuring that only authenticated and authorized users or machines can use keys to encrypt or decrypt data.

Lifecycle management

Keys have a lifecycle. They’re born, live to fulfill a purpose, and eventually, they retire. It seems simple, but in reality, the process is a bit more nuanced.

The exact order of the encryption key lifecycle can change depending on the situation. In some cases, you might skip phases entirely. Nonetheless, the basic progression works like this:

• Key generation: First, a key generator, or keygen, uses an encryption algorithm to create a new key. The most important part of key generation is ensuring it’s made using truly randomized numbers. Otherwise, it’s a lot easier for hackers to crack.
• Key registration: Before a key becomes useful, it must be registered to a user, system, application, or policy. This associates it with the intended purpose and owner.
• Key storage: Next, you must store the key for safety and easy access. Ideally, you should store it somewhere far away from the data it’s made to protect. It’s best to keep operational keys in an encrypted environment for added security.
• Key distribution: Once a key is ready for use, it must be securely transferred. A key management system facilitates this process, ensuring only authorized entities can access the key.
• Key usage: When keys are active and operational, it’s best to limit their use to just one purpose. Using the same key for two different cryptographic processes can weaken security. Likewise, key management software can help organizations monitor key usage and ensure they’re utilized appropriately.
• Key rotation: Regularly updating keys is essential for maintaining security. Key rotation involves replacing old keys with new ones to minimize the risk of compromise.
• Key revocation: At the end of the cycle, keys no longer needed or have been compromised should be disabled and promptly deleted. This prevents unauthorized access to sensitive data and eliminates the risk of old, outdated keys from falling into the wrong hands.

Access management

It’s often difficult for organizations to monitor cryptographic keys and which users or machines have access to them. Sometimes, it’s even harder to pinpoint circumstances when permissions are too lenient or if keys are compromised.

That’s where centralized key management software comes into play. With comprehensive control over your encryption keys, you can manage access control policies on a more granular level. Moreover, you can identify potential incidents and revoke keys before it’s too late.

A hardware security module (HSM) is a physical device that securely generates, stores, and manages encryption keys. HSMs provide tamper-resistant protection and are considered the most secure way to store keys. They enable your enterprise to:

• Establish a robust root of trust protecting the keys that encrypt your organization's secret credentials. 
• Secure token signing keys within carefully designed cryptographic boundaries, employing robust access control mechanisms with enforced separation of duties to ensure that keys are only used by authorized entities.
• Ensure availability by using sophisticated key management, storage, and redundancy features.
• Deliver high performance to support increasingly demanding enterprise requirements for access to resources from different devices and locations.

What is Bring Your Own Key (BYOK)?

Bring Your Own Key allows enterprises to generate strong keys in a tamper-resistant hardware security module and securely export them to the cloud, thereby strengthening data protection and retaining control and management of their encryption keys.

BYOK has emerged as an essential capability in the era of cloud computing. As organizations increasingly migrate applications, workloads, and data to the cloud, the question of how to manage the keys protecting these resources has garnered much debate.

While some enterprises are content allowing cloud service providers (CSPs) to generate and manage cryptographic keys for them, others might feel it’s at odds with their security policies. Typically, data physically resides with the CSP and out of the organization’s direct control. Encryption protects the data in the cloud, and to ensure its confidentiality and integrity, securing the encryption keys is of paramount importance.

The good news? BYOK is the ideal solution. It enables public cloud users to generate their own high-quality master key locally on-premises and transfer it to their CSP to protect their data. In turn, they gain:

• Flexibility, convenience, and cost-efficiency
• Stronger protection for sensitive data applications
• Fully visibility over key usage in the cloud

Encryption keys are pivotal to your enterprise security strategy, but keeping them safe is easier said than done. That’s why we designed Entrust KeyControl — a comprehensive key management and compliance platform.

As an end-to-end solution, KeyControl helps you manage, monitor, and control cryptographic keys throughout their lifecycle. It combines the power of centralized key management with the high-assurance security of a decentralized vault-based architecture.

That means you gain all the benefits of having rich visibility over your cryptographic keys without confining them to a single repository. Instead of putting all your eggs in one basket, your assets are distributed according to your needs.

And, with our Entrust nShield HSMs, KeyControl allows you to securely generate keys and enhance security through a strong root of trust.

If you’d like to explore what KeyControl has to offer, check out all the ways it can help your enterprise protect keys at scale.