Periodically changing the encryption key for protected data is a security best practice and a part of many compliance regulations like the PCI Data Security Standard (PCI DSS).
This encryption key change is sometimes referred to as “Key rotation” or “Key rollover” and these terms mean the same thing. When performing a key change operation you generate a new encryption key, decrypt the protected data with the old encryption key, and then encrypt the data with the new encryption key. After the defined cryptoperiod for the key you archive or escrow the key and it is no longer be used.
There are several factors involved in defining the cryptoperiod for a key. If you want to know more about defining cryptoperiods, you can get a good description in the NIST Special Publication 800-57 Part 1, “Key Management Best Practices”, section 5.3.
Townsend Security's Alliance Key Manager helps you with key rollover by allowing you to specify a cryptoperiod for any symmetric key, and then automatically generating a new key for you at the end of the cryptoperiod. In Alliance Key Manager the cryptoperiod is specified as the number of days from the key creation date. At midnight on the last day of the cryptoperiod, a new version of the key is created and it becomes the default encryption key. The old key is retained and is fully active so that data can still be decrypted with that key.
Like most enterprise key management solutions Alliance Key Manager provides a user-friendly name for an encryption key, and a version identifier. The key name is a normal character name and might be something like Credit card, Human resources, and so forth. The name is meant to provide an easy way for a user or security administrator to locate and use a key.
In Alliance Key Manager the version of the key is called the “Key instance” and is a unique character string. When managing keys the key instance name might look something like this: TGV0IGZyZWVkb20gcmluZw==. Key instance names are always unique and a key may have any number of key instances.
The most recent version of the key is the default, or current, instance of the key. When you retrieve a key in your application, you can leave the key version blank and you will automatically get the most current version of the key. When Alliance Key Manager performs key rollover the new version of the key becomes the current version of the key.
Alliance Key Manager supports three rollover settings for each symmetric key:
- Automatic key rollover at the interval you specify
- Manual rollover that you initiate through the security console
- No key rollover
Whatever key rollover strategy you decide to implement, Alliance Key Manager will provide the tools you need. You can fully automate key rollover, roll keys manually at your convenience, or dis-allow key rollover so that new versions of the key are never generated.