How to manage encryption keys


This article can also be found in the Premium Editorial Download "Storage magazine: What you need to know about data storage provisioning."

Download it now to read this article plus other related content.

Sampling of encryption-key management products

Requires Free Membership to View

Application Security Inc.
AppSecInc Console

CA Inc.
BrightStor Tape Encryption

Disuk Ltd.

EMC Corp./RSA Security Inc.
Key Manager

Authority Security Manager

Ingrian Networks Inc.
DataSecure Platforms

Nexsan Technologies

PGP Corp.
PGP Encryption Platform, PGP NetShare

Protegrity Corp.
Defiance Suite

Spectra Logic Corp.
BlueScale Encryption

Symantec Corp.
Symantec Backup Exec

WinMagic Inc.
SecureDoc Enterprise Server

Storing keys
There are a number of issues to consider when storing keys:

  • Will they be stored on each client that needs to access the information, on a central server that requires authentication to release the key, or in a hardware device such as a smart card or USB key?
  • How will you ensure that keys will still be available in five, 10 or 50 years when access to archived data is required?
  • Will an authorized staffer be able to access keys in a disaster when servers must be rebuilt from encrypted backups without the original backup software or tape drive that did the encryption?
  • How do you track what data was encrypted with which key, and where the key is stored?
Some enterprise-oriented backup products, such as Symantec Corp.'s Backup Exec and Veritas NetBackup, or CA Inc.'s BrightStor ARCserv Backup, can address these issues as long as you're not backing up platforms that aren't supported by the software or using different backup apps at other sites. Other specialized products, such as those from WinMagic Inc., provide enterprise-oriented storage of keys for encryption of workstation or server disk storage.

Most encryption-key management products from established vendors (see "Sampling of encryption-key management products," at right) offer substantial benefits compared to home-grown solutions (such as keeping the keys in an Excel spreadsheet or Access database), including:

  • Automatic key management. Users don't create the keys themselves and can't inadvertently leak them because the keys are always encrypted.
  • Strings to create keys are randomly generated.
  • Keys used to encrypt backup keys are separate and distinct. Keys are never stored or transmitted in the clear.
  • Keys are generated automatically and stored securely so they can be changed regularly.
  • Provisions for distributed and clustered key management systems provide quick responses at any location when data needs to be accessed; if necessary, keys can be replicated so that the failure of one appliance won't result in data loss.
  • Provisions for software-based recovery of encrypted data using keys stored on hardware (smart cards or USB keys).
  • Reporting tools make it easy to associate keys automatically with specific backup tapes or encrypted stores.

This was first published in October 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: