Encryption Key Management Vs Key Vaulting (G23a)
This presentation will compare and contrast the concepts of encryption key management and encryption key vaulting citing specific examples and drawing on the speakers experience with the two relevant industry standards KMIP (Key Management Interoperability Protocol) & PKCS#11.
Given the widespread use of encryption in today’s systems covering everything from traditional securing of data at rest through to full VM encryption and all points in between, we need to be mindful of where those encryption keys reside both to ensure that they are never lost, nor handed to the wrong party.
In many instances, the obvious focus is on the encryption itself, the algorithms used or the performance and scalability features and yet the safekeeping of the keys does not receive the same attention. When solutions are discussed, the term “key management†is fairly common, yet is really only applicable in a subset of cases.
At the grassroots level, key management caters for the whole key lifecycle as well as tracking details about each key. Key managers exist to provide this management and to ensure that the right key is handed to the correct, authorized party. By comparison key vaulting is generally delivered by traditional HSMs. Who exist to protect the stored key at all costs – and this is all. In many cases HSMs are configured to never release the key, requiring all operations to be performed within the cryptographic boundary. Both solution types have a place in the modern security enterprise, yet the differences between them are often not clearly understood.