Key management

[richardschneider]

Encryption solutions for data-at-rest will be protecting data for potentially very long periods of time. In many ways, the key management system may well be the single most important component of your storage security solution. As we’ve discussed, you will likely need to maintain keys for many years. You need assurance that the keys used to encrypt data will be available whenever and wherever authorized access to data is required. At the same time, the keys need to be secured so that they themselves aren’t compromised (resulting in a data breach).

Data at Rest

[richardschneider]

Rule - Build support for changing algorithms and keys when needed

If keys are compromised or an external authority expires them, key changes will be needed. Application polices or emergency needs will force application administrators to rotate keys and potentially rekey data at some point. It's best to be prepared to rapidly handle this need when necessary. Including a key version and encryption algorithm version with the encrypted data is a useful, proactive feature. For instance, including a simple prefix string, such as "{1,1}...", prior to the encrypted data could indicate algorithm version 1, key version 1. This allows for an "online" change to the encryption algorithm and key without re-encrypting all existing data all at once.