Key Management Best Practices
Cryptographic key lifecycle governance: generation, storage, rotation, and the envelope encryption pattern.
Cryptographic key lifecycle governance: generation, storage, rotation, and the envelope encryption pattern.
Continue your mission
Key management is the lifecycle governance of cryptographic keys: generation, distribution, storage, rotation, revocation, and destruction. Within the Empty Fortress doctrine, key management is what makes encryption meaningful. Encryption without proper key management is a locked door with the key taped to the frame.
Generation requires cryptographically secure random number generators. Never use predictable seeds, timestamps, or homegrown algorithms. Distribution must happen through secure channels — keys should never traverse the same path as the data they protect. Storage demands hardware security modules (HSMs) or cloud KMS solutions — never in plaintext config files, environment variables accessible to application code, or source control. Rotation must be automated and regular, with zero-downtime key transitions. Revocation must be immediate and verifiable when a key is compromised. Destruction must be cryptographically complete — deleted keys must be irrecoverable.
Envelope encryption is the standard pattern for scalable key management. Data is encrypted with a data encryption key (DEK). The DEK is encrypted with a key encryption key (KEK) stored in a KMS. Only the encrypted DEK is stored alongside the data. This allows key rotation without re-encrypting all data — you only re-encrypt the DEK.
Hardcoded keys in source code. Keys stored in the same database as the encrypted data. No key rotation policy. Shared keys across environments. No inventory of where keys are used. Manual key management processes that do not scale.
In an Empty Fortress architecture, key management serves a dual purpose. It protects the data you must hold, and it enables client-side encryption patterns where your systems never see plaintext. When the client holds the key, you cannot decrypt their data even if compelled — this is ZPA in cryptographic form.
Key management is the difference between real encryption and security theater. Use envelope encryption with cloud KMS or HSMs. Automate rotation, track every key, and never store keys alongside the data they protect.
CDA Theater missions that address topics covered in this article.
Written by CDA Editorial
Found an issue? Help improve this article.
How the Empty Fortress Standard proposes global data protection harmonization through architecture, not legislation. Five verifiable tiers that satisfy privacy obligations in any jurisdiction.