An Encryption Key Lifecycle

This blog post is an excerpt from our recent report, Enterprise Key Management, The Key to Public Sector Datay Security. To download the full report, head here.

An encryption key goes through a number of possible stages during its lifecycle. It must be created, used, possibly changed and eventually disposed of. The National Institute of Standards and Technology identifies the stages as: preactivation, active, suspended, deactivated, compromised, destroyed, destroyed compromised and revoked. Each key is used differently and might not go through each of these stages.

For example, not every key will be compromised. And keys can pass through different stages of their lifecycles in different orders. A key might go from being active directly to deactivated, or it might be suspended. And a suspended key could be reactivated or deactivated.

When thousands or even millions of keys are being managed throughout the lifecycle stages it can quickly become overwhelming. An agency might want to simplify the process by managing keys locally with each encryption application or device. But this can become unwieldy and undependable, and there is risk in locating keys with the application. Any compromise to the application puts the keys at risk.

As agencies grow in complexity and adopt encryption across a greater portion of the enterprise, they need to move beyond local key management. The visibility into security controls offered by a single centralized view lets agencies achieve economies of scale and helps ensure policy and regulatory compliance. Enterprise secure key management, in which keys are managed centrally across the entire lifecycle through a single pane of glass, provides this visibility and reduces the risk of keys being compromised locally. It is more economical, provides high-assurance security with hardened appliances for policy enforcement and lends itself to automation. “The more you can automate, the better off you are,” Charitat said.