Key Management FAQ

In part 2 of our Data Protection FAQ series, we look at common questions asked about key management. The hardest part of implementing strong encryption is securely and effectively managing keys and certificates.

Hackers don’t break encryption, they steal keys. Without strong and flexible systems in place to do that, the best encryption standards are useless. Below is the FAQ on Key Management:

1. What is a Key Management System (KMS)?

The KMS is use to manage cryptographic keys for a cryptosystem. It involves the generation, creation, protection, storage, exchange, replacement and use of said keys and enables selective restriction for certain keys. In addition to access restriction, key management also involves the monitoring and recording of each key’s access, use and context.

2. Why do I need a KMS?

A proper KMS is a crucial part of a data protection strategy in ensuring the integrity of cryptography keys use between systems. The easiest way for a hacker to bypass encryption schemes is simply to steal the key. Managing crypto keys and certificates are technically challenging, labour intensive and prone to errors because there are too many keys in too many systems, at too many locations.

3. Can KMS manage keys at different systems and application?

Yes, a KMS is specifically designed to centrally manage the life cycle of crypto keys used by different systems

4. What is the difference between KMS and Hardware Security Module (HSM)?

A KMS provides a secure enclave for key governance to be managed independently, allowing encryption engines to perform their own crypto functions. On the other hand, a HSM provides fast and secure crypto processing used primarily for encryption operations of data- in-motion.

5. Does KMS offer encryption as well?

No. KMS automates only the key lifecycle management process. However, KMS is design to manage keys in cryptographic technology through a variety of integration options.

6. Can KMS work with my existing HSM?

Yes. A KMS provides a centralized point with features to manage keys across heterogeneous systems including working with a variety of HSMs to store keys in a tamper-proof hardware. This frees organizations from being lock down by a single HSM vendor.

7. What type of keys does the KMS support?

A typical KMS should support all types of symmetric and asymmetric keys i.e. certificates, crypto keys – AES, RSA, 3DES, DES, ECDSA

8. What are the types of policies are available?

● Client application policy
● Key policy e.g. algorithm type, usage, mechanism, attributes and validity
● Certificate policy
● Access control policy
● Audit trail policy

9. Are there audit trails to track key usage?

Yes. It is fundamental for KMS to have audit trail of all key and KMS system operations.

10. Can it work with Cloud HSM?

Yes, a versatile KMS should support your cloud-based crypto keys and allow you to manage the lifecycle on-premise or in the cloud

11. Where does the KMS store cryptography keys?

Data encryption keys are stored within the KMS database. These keys are encrypted with a master key that is split and stored separately within the system. For higher key assurance, the master key can be stored externally in a HSM through integration.

12. Does it offer separation of duties for different roles of users?

Yes, a KMS will be able to segregate users from accessing the crypto keys while not limiting users to perform system operations.

13. Will key rotation impact my application?

No. Keys can be rotated easily and transparently to users and applications according to an organization’s security policy.

14. What if the keys are lost or corrupted?

Similar to any data, crypto keys need to be backed up periodically in the event keys are lost or corrupted. It is the best practice to backup keys whenever changes are made.

15. Will KMS help my organization meet compliance requirements?

Most compliance standards require key management. If applicable, a KMS will help your
organization meet requirement:

  • PCI DSS v3.2 req 3.5 and 3.6
  • BNM RMiT req 10.16, 10.19 and 10.20