How to manage encryption keys


This article can also be found in the Premium Editorial Download "Storage magazine: What you need to know about data storage provisioning."

Download it now to read this article plus other related content.

Encryption is an effective way to secure data, but the encryption keys used must be carefully managed to ensure data remains protected and accessible when needed.

Encryption is pushing its way into more corners of the enterprise. From database fields for customer credit cards or social security numbers, to laptop hard drives with proprietary data, more storage is being encrypted more frequently. Every encrypted item needs a key to unlock the encrypted data, and managing the hundreds or thousands of keys used across an enterprise can be a big headache.

The specter of data loss is the biggest reason why encryption isn't implemented more widely. Most experienced system administrators are conservative when it comes to new technologies that could potentially lock them out of their own data. On the other hand, business requirements, legislation and liability for lost data are driving encryption forward. For the moment, centrally and securely managing encryption of all of the various types of data across the whole enterprise is only a dream--unless you use the same vendor for all of your encryption tasks.

Many vendors are pushing for a single encryption-key management standard. Decru Inc., nCipher Corp. Ltd., NeoScale Systems Inc. and Vormetric Inc. all have, or will shortly have, open platforms that should be able to manage keys from other vendors. All of these systems control key access, even if the storage systems are compromised and the keys

Requires Free Membership to View

aren't available locally. Keys are associated with specific data repositories, ensuring that the key necessary for a specific directory or file can be readily identified. Once access requirements are fulfilled, keys are provided on demand; management systems also encrypt keys in transit and delete keys when they're no longer needed. Audit logs show who has accessed what data, and when that access occurred. In addition, these systems limit key generation and modification to specific authorized personnel.

This was first published in October 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: