Everything You Need To Know About Encryption Key Management Software (FAQs)
What Is Encryption Key Management?
Encryption key management is a series of processes and policies for generating, exchanging, storing, using, destroying, and replacing encryption keys. Encryption keys, or cryptographic keys, are a string of characters and numbers that, when run through a certain algorithm, encode and decode data. This transforms it into ciphertext that’s completely unreadable to anyone but the intended recipient with the key to decrypt the data. They also enable the secure transmission of data across the internet. This means that encrypted data is completely secure, as long as the encryption keys are secure. If a threat actor were to get hold of the decryption key, they would easily be able to access, read, and exfiltrate your encrypted data. So, effective encryption key management is a critical part of using encryption to secure data.
Unfortunately, many encryption solutions don’t also include effective key management; they simply store encryption keys locally, store them with the data, or don’t store them at all and simply generate them as needed when the user enters a password.
The best way to manage your encryption keys is to implement a dedicated third-party key management system that separates the keys from the data and stores them centrally for improved security, automatically rotates keys between uses, and offers key backup and recovery. There are three main types of encryption key management tools:
- A hardware security module (HSM) is a physical key management system that performs all cryptographic functions (encryption, decryption, key management) so that your servers don’t have to. You can also get a hosted HSM, which is hosted within a cloud environment.
- A key management virtual appliance can be downloaded from a vendor and deployed in any virtual environment.
- A managed key management service can be bought from a vendor on a subscription basis, sometimes as-a-Service (KMaaS). These tools can be run on-premises or in the cloud.
How Does Encryption Key Management Software Work?
Encryption key management software enables organizations to centrally manage and monitor their encryption key operations at every stage of the encryption key lifecycle. This lifecycle typically includes the following stages:
- Key generation
- Key distribution
- Key use
- Key storage and backup
- Key rotation
- Key revocation
- Key destruction
In the key generation stage, a key generator creates the cryptographic keys that will encrypt and decrypt the data. The keys should be generated in a secure location, using a strong encryption algorithm such as AES.
In the key distribution stage, keys are shared with their users. This should be done via secure TLS or SSL connections in order to prevent the keys being stolen whilst in transmission over the internet, e.g., via a man-in-the-middle (MitM) attack.
One distributed amongst the necessary users, the key is used for cryptographic operations, i.e., encrypting or decrypting data. The key should only be used by authorized, verified users.
Once the key has been used, it enters the key storage stage, when it needs to be securely stored until it’s needed again. Keys can either be stored in an HSM or hosted HSM, locally on the client’s side, or in an encryption key management solution. Encryption key management tools store keys centrally, making them easy to locate, access, and organize.
After a certain period of time known as the key’s “cryptoperiod”, an encryption key becomes unsuitable for use and must be rotated to minimize the risk of an attacker cracking the key. This involves decrypting the data with its old key, and re-encrypting it with a new one. Encryption key management tools often alert admins to keys that are soon to expire, and automatically rotate them to help save admin time.
Finally, if an encryption key is compromised, it needs to be revoked or destroyed. Revoking a key means that it can’t be used to encrypt or decrypt data, even if it’s still within a valid cryptoperiod. Destroying a key means that it’s permanently deleted from the key management system (or any other tool used to store the keys). Once destroyed, keys can’t be reconstructed unless they’ve been stored in a backup archive.
What Are The Two Types Of Encryption Key Algorithms?
There are two types of encryption algorithms, which use different types of encryption keys: symmetric and asymmetric.
Symmetric key encryption uses a single key to encrypt and decrypt the data. This means that both parties—the data owner and the recipient—share the same key. So, while symmetric encryption is faster than asymmetric encryption, it’s also less secure, as anyone who intercepts that shared key can decrypt and read the data. Symmetric keys focus on securing static data, i.e., data that’s stored in a database. That data is encrypted, then when a user verifies their identity, the same key is used to decrypt it so the user can read the data.
Asymmetric encryption provides users with two different but mathematically connected keys: a public key and a private key. The public key can be freely shared with anyone who wants it via a publicly accessible directory, and is used to encrypt the data. The private key is known only by the recipient, and is used to decrypt the data. Asymmetric encryption is typically used to encrypt data in motion, i.e., data that’s being transmitted across a public or private network connection.
When sharing sensitive data, it’s common to use both symmetric and asymmetric encryption. The data is first encrypted at rest with a symmetric encryption key, then that symmetric key is encrypted by the recipient’s public key. Once the encrypted message and symmetric key are delivered to the recipient, that person can use their private key to decrypt the symmetric key, which then decrypts the message.
Phew—that’s a lot of keys! Now imagine you have to do that for every piece of sensitive data anyone in your organization wants to share… And you need to keep track of each key being used… And you quickly realize the benefits of an encryption key management solution.