Manage Learn to apply best practices and optimize your operations.

Unlocking best practices for successful encryption key management

The importance of encryption has long been obvious to security professionals, but the complexity of encryption key management can be almost as daunting as the cryptography algorithms themselves. In this tip, W. Curtis Preston examines today's primary encryption key management methods, and offers best practices to help security pros cut a sharp encryption key management strategy.

W. Curtis Preston
answers your questions's live webcast, premiering Wednesday, Feb. 21, 2007 at 12:00 noon ET, reviews the risks of today's backup encryption methods.


The first reason is that data-in-flight encryption has no concept of key memory. Once you move from one key to another, the old key is no longer necessary. However, when encrypting stored data, keys are changed on a regular basis, and the old keys must be kept; otherwise old data encrypted with that key won't be readable. The second reason is that there is no way to rebuild the connection if it is lost. If a VPN breaks due to a corrupted or lost key, all you have to do is rebuild it. However, if you lose or corrupt a key that you used to store a particular piece of data, then that data is lost forever. That's why a good key management system must keep track of which keys were used where, and must make sure that no one has access to those keys.

There are two primary types of key systems used for storing encrypted data today: single-key and multiple-key systems. A single-key system uses some type of key to encrypt the data, and simple possession of that key is all that is needed to decrypt it. If a black hat obtains that key, he or she will be able to read your encrypted data. This is the most rudimentary of all key systems.

Therefore, the first thing to do with a single key system is to create a log of keys that were used in the system and when they were used. This would include the current key and any previous keys that were used to create tapes that you are still using to store data. If there is ever any possibility that a key has been compromised, change the key immediately, and make note of that in the key log.

More on encryption key management

Use encryption to meet PCI Data Security Standard requirements.

Save money without sacrificing database security.

Multiple key systems are very different. These use one set of keys for encrypting the data, and another set of keys for authenticating administrators. The administrators never actually see the keys used to encrypt the data; they only see their username and key. Even if an administrator would be able to steal a copy of the database used to store the encryption keys, he or she would not be able to use them to read your backup tapes unless he or she had a system that was authorized to use the keys.

The way such a system is authorized to use these keys varies from vendor to vendor, but one approach is to use the concept of a key quorum. This is where multiple users must enter their username and key -- and sometimes insert a physical key card -- in order to authorize a new system. Once that's been done, the encryption keys may be used in that system. This prevents a single rogue employee from stealing your tapes and encryption keys and making any sense of them.

About the author:
W. Curtis Preston is vice president of data protection at consultancy Glasshouse Technologies. He is also the author of "The Storage Security Handbook," "Using SANs and NAS," and "Unix Backup and Recovery." Preston has also contributed numerous data protection articles to leading IT publications and has been designing and implementing data protection systems for more than 12 years. Currently he consults on data protection with end users from Fortune 100 and Fortune 500 companies, as well as with vendors around the world. Preston is also one of the mostly highly rated presenters each year at Information Security Decisions.

There are two reasons why "data-in-flight" management systems won't work when encrypting data "at rest." The second thing you must do with a single key system is to place your own process around the storage of the key log. Do whatever you can do to ensure that no single person can obtain access to the key log. For example, store the key log separately from your tapes, and ensure that at least two people must sign another log to gain access to the key log.
This was last published in February 2007

Dig Deeper on Disk and file encryption tools

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.