Chapter 7: Key Management         

• Keys must be distributed securely to the right entities and updated continuously.
• Keys must be protected as they are transmitted and while they are being stored on each workstation and server.
• Keys must be generated, destroyed, and recovered properly.
• Key management can be handled through manual or automatic processes.
• Keys are stored before and after distribution.
• The key, algorithm that will use the key, configurations, and parameters are stored in a module that also needs to be protected.

Chapter 7: Key Management Principles

• Keys should not be available in cleartext.
• All key distribution and maintenance should be automated and hidden from the user and these processes should be integrated into software or the operating system.
• Backup copies of the key should be available and easily accessible when required.
• The key recovery process could require two or more other individuals to present their private keys or authentication information and these individuals should not all be members of the IT department.

• Rules for Keys and Key Management
• The key length should be long enough to provide the necessary level of protection.
• Keys should be stored and transmitted by secure means.
• Keys should be extremely random, and the algorithms should use the full spectrum of the keyspace.
• The Key’s lifetime should correspond with the sensitivity of the data it is protecting. (Less secure data may allow for a longer key lifetime, whereas more sensitive data might require a shorter key lifetime.)
• The more the key is used, the shorter its lifetime should be
• Keys should be backed up or escrowed in case of emergencies.
• Keys should be properly destroyed when their lifetime comes to an end.