Encryption key management basics

Topic: Security basics

Encryption keys must be stored and used securely: separate from the data, access-controlled, and rotated per policy. Use a KMS or vault; avoid storing keys in config or code. Use this when enabling encryption or designing key lifecycle.

Intent: How-to

Quick answer

  • Keys should not live with the data they protect. Use a KMS (cloud or HashiCorp Vault) so the app requests encryption/decryption or a data key; the master key never leaves the KMS.
  • Restrict who and what can use each key (IAM, policy). Rotate keys on a schedule or after compromise; re-encrypt data with a new key if the old key is retired. Have a plan for key loss (backup, recovery).
  • For data at rest, prefer provider-managed keys (e.g. S3 SSE, RDS encryption) so the provider handles storage and rotation. For app-level encryption, use the KMS to generate or wrap data keys.

Prerequisites

Steps

  1. Keep keys separate

    Do not store encryption keys in the same place as the encrypted data. Use a KMS or vault; the app calls the KMS to encrypt/decrypt or to get a data key; the root or master key never leaves the KMS.

  2. Control access

    Limit which identities (user, role, service) can use which keys. Use IAM or vault policies; audit key use. Prefer short-lived credentials to call the KMS so compromise scope is limited.

  3. Rotate and retire

    Rotate keys on a schedule or after suspected compromise. If the system supports key versioning, new data uses the new key; re-encrypt old data if you retire a key. Document recovery if a key is lost.

  4. Prefer managed where possible

    Use provider-managed encryption (S3 SSE, RDS encryption, etc.) so the provider handles key storage and rotation. For custom encryption, use the KMS to generate or wrap keys.

Summary

Keep keys in a KMS or vault, separate from data; control access and rotate keys. Prefer provider-managed encryption where possible. Use this when designing or auditing encryption and key lifecycle.

Prerequisites

Steps

Step 1: Keep keys separate

Use a KMS or vault; apps request encrypt/decrypt or data keys. Master keys do not leave the KMS.

Step 2: Control access

Limit which identities can use which keys via IAM or vault policy. Audit key use.

Step 3: Rotate and retire

Rotate on a schedule or after compromise. Re-encrypt data when retiring a key; document recovery.

Step 4: Prefer managed where possible

Use provider-managed encryption (S3, RDS, etc.) when it meets requirements; use KMS for custom encryption.

Verification

Keys are in a KMS or vault; access is restricted and audited; rotation and recovery are documented and tested.

Troubleshooting

Key in config — Move to KMS; rotate the key and update the app. Key loss — If no backup or recovery, data encrypted with that key may be unrecoverable; prevent by using managed KMS and backup.

Next steps

Continue to