Glossary

What is Key Management?

What is Key Management?

Key management is the process of creating, storing, distributing, rotating, and retiring cryptographic keys used to protect encrypted data. Effective key management ensures that encryption actually delivers the confidentiality and integrity it promises — poorly managed keys can render even strong encryption useless.

Key lifecycle stages

  • Generation — creating keys using cryptographically secure methods with appropriate key lengths
  • Distribution — securely delivering keys to authorized systems or users
  • Storage — protecting keys at rest using hardware security modules (HSMs), key vaults, or other secure storage
  • Rotation — periodically replacing keys to limit the impact of a potential compromise
  • Revocation — disabling keys that are no longer trusted or have been compromised
  • Destruction — securely deleting keys that are no longer needed, ensuring they cannot be recovered

Key management in compliance frameworks

  • PCI DSS — Requirement 3.5 and 3.6 detail specific key management procedures for protecting cardholder data
  • ISO 27001 — A.8.24 covers the use of cryptography including key management policies
  • HIPAA — the Security Rule requires encryption of ePHI, which implies proper key management
  • SOC 2 — CC6.1 and CC6.7 address encryption and key management as part of logical access controls

Best practices

  • Use hardware security modules (HSMs) or cloud key management services (AWS KMS, Azure Key Vault, GCP Cloud KMS) rather than storing keys in application code or configuration files
  • Enforce separation of duties so that key custodians cannot access the data those keys protect
  • Document key rotation schedules and automate rotation where possible
  • Maintain an inventory of all cryptographic keys, their owners, and their expiration dates
  • Test key recovery procedures regularly

How episki helps

episki tracks key management policies, links them to encryption controls, and monitors rotation schedules to ensure cryptographic practices stay compliant. Learn more on our compliance platform.

Related frameworks

cmmcsoc2iso27001pcihipaa

Related terms

encryptiondata-classificationaccess-control

Continue exploring

What is Access Control?

Glossary definition

episki vs Drata

See how we compare

What Makes a CISO Metric Actually Useful?

From the blog

See how episki handles this

Start a free trial and explore controls, evidence, and automation firsthand.
Start free trialBook a demo