Skip to main content
banner image
venafi logo

What Is Encryption Key Management?

What Is Encryption Key Management?

November 18, 2022 | Anastasios Arampatzis

As enterprises continue their digital transformation, safe transfer of and access to information is imperative. While humans rely on usernames and passwords to prove our identity, machines rely on keys and certificates to authenticate. With the push to remote work and the explosion of IoT devices, BYODs, VMs, containers, cloud workloads and microservices, there hasn’t been a more important time to maintain secure practices for encryption key management.

Why Do You Need a Control Plane for Machine Identities? Learn More!
Why Is Key Management Important?

Data is only good if it can be trusted. To keep data safe, it is encrypted and decrypted using encryption keys. Key management is important because it helps you keep track of the myriad number of keys floating around your environment. Whoever has those keys has access to the data, so proper key management ensures that person is you, and only you.

Types of Encryption Keys

There are two main types of encryption keys: symmetric and asymmetric.

Symmetric Keys

Symmetric key encryption uses a single key to both encrypt and decrypt data. It is a part of the public key infrastructure (PKI) and makes it possible to transfer data securely across the internet by converting plaintext into ciphertext that is unrecognizable. With symmetric key encryption, both parties share the same key, and safety rests on the key being kept secret. While faster than asymmetric encryption, symmetric encryption is also less safe as anyone who intercepts the key can decrypt the information.

Asymmetric Keys

Asymmetric encryption, or public key encryption, increases security by using two different encryption keys at once; a private and a public key. This way, the private key is known only to the owner, and the public key is available to all via a publicly accessible directory. Both the public and private key are required to decode an encrypted message and ensures that even if someone did steal the public key, the private key is still needed to decrypt the message.

How Key Management Works

Creating, storing, using, and managing cryptographic keys is a multi-step process.

Key Generation

First, the encryption keys need to be made. Key generation is the process of creating the cryptographic key that will both encrypt and decrypt data. Keys are spun up using a key generator, or keygen. These keys are made up of distinct alpha-numeric sequences that include symmetric key algorithms like DES and AES, and public key algorithms like RSA.

Key Storage

Next, the keys must be stored for safety and ease of use. In key storage, a good rule of thumb is that the measures taken to secure a private or public key must be equal to the security with which you’d protect the encrypted message itself.

Key Use

When finding a secure spot for your cryptographic keys, it is important that they are easily accessible and able to be shared. It is vital that you can find them, identify their owners, organize them, update them, and revoke them if needed – en masse, if possible. An automated key management solution can help with this.

Key Revocation

The process of key revocation is handled by a CRL, or Certificate Revocation List. Should a bad actor gain entrance into your network and compromise one of your cryptographic keys, it may be necessary to revoke them all at once. And it is good security hygiene to establish rules to revoke a key and replace it with a new one prior to expiration. Expired keys present a huge liability and can lead to major data breaches.

Key Management Systems

When it comes to key management systems, several options are available.

HSM: A Hardware Security Module (HSM) is a specialized hardware unit that performs all cryptographic functions (encrypting, decrypting, storing, generating and managing cryptographic keys) so your servers don’t have to. It is a physical key management system.

Hosted HSM: A Hosted HSM is a traditional HSM hosted within a cloud environment. 

Intel SGX:  Intel Software Guard Extensions (SGX) is a set of instructions that encrypts sections of memory using security instructions native to the CPU. SGX is a type of hardware-based encryption that allows users to divide a computer's memory into enclaves, which are private, predetermined memory sections that can better safeguard sensitive data, such as encryption keys.

Virtual: A virtual key management system can be downloaded from a vendor and spun up immediately in a virtual environment.

Service Platform: Many vendors will provide managed encryption key management on a pay-as-you-go basis. Cloud providers often offer their own encryption key management offerings, and some provide Key Management as a Service (KMaaS). While convenient, these can operate on a multi-tenant model, meaning that more than one client’s keys can be managed on the same key management instance. This may introduce some security concerns.

Compliance and Best Practices

Key management is needed for compliance with Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and the General Data Protection Regulation (GDPR). Some best practices for maintaining compliance include:

  • Avoid hard-coding keys
  • Practice the principle of least privilege
  • Use an HSM as part of your routine
  • Find solutions that use automation to manage your keys at scale
  • Create and enforce policies surrounding key management
  • Split keys into different parts and store separately to prevent compromise
Simplify Key Management with Venafi

To ensure your cryptographic keys are properly configured, stored and rotated, you need an automated key management solution that can scale. Venafi’s Trust Protection Platform manages all cryptographic keys and machine identities across all devices, VMs, APIs, BYODs and machines within your ecosystem. Scan to audit the keys and certificates currently in your environment, then automate their rotation or revocation – individually or at once. Venafi’s automated key management solution simplifies Zero Trust by managing your entire key inventory from a centralized dashboard, anywhere on your system, at enterprise level.

Contact us to learn more.

Related Posts

Lack of Key Management Jeopardizes Data Encryption Strength

All About SSH Key Management and SSH Machine Identities

6 Dangerous SSH Key Management Practices You Should Avoid


Like this blog? We think you will love this.
vulnerable hashing function
Featured Blog

What Is the Hashing Function and Can It Become Vulnerable?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more