Encryption Technology - Enterprise-Grade Key Management
NIST Special Publication 800-57 Recommendations for Key Management outlines the recommendations for managing encryption keys. Management areas defined include the proper techniques and recommendations for the creation, protection and vaulting of encryption keys.
- Encryption Key Creation: All encryption keys must be generated dynamically and not based on user inputs. Key creation should be accomplished via the use of generators available via the FIPS 140-2 certified solution, which ensure that these randomly generated numbers cannot be recreated and that all secret inputs utilized in the process are protected within the key generation process.
- Encryption Key Protection: To protect the individual encryption keys utilized to encrypt each individual files, these encryption keys themselves must be encrypted using Symmetrical Encryption Wrapping Keys. Hence, all file level encryption keys cannot be used to access data without also having the Encryption Wrapping Key(s). Furthermore, the Encryption Wrapping Keys cannot be stored external to the system which ensures no one can access these keys.
Disaster Recovery and Key Vaulting
In the event of a disaster, where the operational system is disabled or destroyed along with all encryption keys, it is absolutely imperative that all encryption keys can be made available to reinstitute access to encrypted data. Without this ability, all access to this data will be lost forever.
The following must be made available to ensure continued access to corporate assets:
- A Key Vault must be established, on-site and preferably off-site, on permanent protected resilient storage.
- Keys must be committed to the Key Vault before ever being utilized to encrypt data.
- Keys must be encrypted with Encryption Wrapping Keys on the Key Vault location.
- Encryption Wrapping keys must be stored in a safe location (preferable in a vault) to ensure, in the event of a disaster, they can be made available to recover the file level encryption keys when restored from the Key Vault.
Alliance’s encryption feature provides for multiple options in the storage of encryption keys and adheres to these principles.