Indispensability of key management

In today's distributed environment, no technical discussion escapes the mentioning of encryption and TLS as preserving the integrity of data flows is a bare essential in every technical design of today. The need of TLS give rise to yet another important topic which I have a love-hate relationship with and that is the management of private keys and secrets. ?

To emphasize on my love-hate relationship, it is not because of the tedious integrations or testing nightmares but rather because of the numerous discussions and lack of clarity around the processes of key management. And why is there all this fuzz? Let's try to analyse this by looking at couple of characteristics of the keys:?

1. Keys are used to encrypt the data, nice! But where to store the keys then? Well, should I not just save this in my source code? Who will know if I do ;-). What if it is found in the PEN test ;-). So, where then? Oh yes, it should be in a safe vault like where you store all the important physical assets, right? But where is the vault and who owns the vault? The vault must also have a master key and be used with a key lifecycle management process to be connected from applications and services. Too many processes to discuss!
2. Keys can die (expire) and new keys are born (renewal). In worst cases, keys can also be killed (revoked). Some lucky keys can live for many years e.g. root keys and some are short lived (ephemeral like one time use keys). And now, who is generating these keys and making sure they keys are valid?

These characteristics imply the need for a resilient key management without the need to rebuild the software's that use these keys.

I hope you would agree with me that the cryptographic keys are becoming critical asset to any organisations and deserve to be kept in a safe deposit a.k.a vault. But all this is not easily done. The challenge for key management is to have people with the right skill and mindset to standardize the operations around the key management in a centralized way. Oh yes, centralized way!

In order to have a resilient key management, the following needs to be scoped in:

• The storage of the keys in a vault
• The guidelines for use of the keys from the vault
• The authorization on the access to the keys?
• Auditing for all the key management activities
• Replacement/Revocation for the keys

This loops me back to the title of this article to emphasize that the key management is an indispensable asset for any digital organisation. The process complexities are inevitable but automating of the key management activities in software or hardware cryptographic modules will keep the management coherent and effective for a longer duration to come.

Please drop a note if this topic also interests you. Any reference or learning material will also be appreciated.