Key Rotation and Management
Maximizing Your Encryption Strategy
When encryption fails, it’s usually because key management has failed. If you’re not controlling or maintaining keys used to encrypt sensitive data, then you don’t have a sufficient key management program. Proper key management and rotation is a fundamental principle of data security.
By establishing a key rotation period and schedule that is based on industry-accepted best practices, you will strengthen your encryption strategy. The main source for determining a key rotation period is the quantity of data. How much data is encrypted to a single key? As the quantity of data increases, the frequency of key rotation must increase. At KirkpatrickPrice, we recommend also considering the sensitivity, the longevity, and the security life of the data.
Read more about key rotation in NIST SP 800-88: Guidelines for Media Sanitization.
When encryption fails, it’s not because of the encryption algorithms like AES-128 or 3DES; these are incredibly secure algorithms. They’ve withstood the test of time, academic intrusions – they’ve withstood all the things. When encryption fails, it’s because key management fails. You talk to anyone who has any experience protecting data through encryption and it always comes down to key management.
One of the fundamental principles of managing encryption keys effectively is to establish a key rotation period. That is most often thought of in terms of time. Is it annual, quarterly, every five years? What’s our originating use policy? What’s our recipient usage policy? There’s some material out there from NIST in the NIST-800 series (NIST 800-88) that speaks to all of these different things about key management and key rotation. One of the most fundamental things to understand about rotating encryption keys is that the principal matter – the principal source – for determining our rotation period is quantity of data. As the number of bytes of data increase that we’ve encrypted to a single key, the possibility that two blocks of data, that two messages, that two files, could produce the same encrypted result – that increases over time. As the quantity of data increases, it’s necessary for us to then rotate the key.
There are some recommendations out there that you can pull from academic articles and different sources, but at KirkpatrickPrice, our recommendation is based on the sensitivity of the data, the longevity, the security life of the data – that probably lies between 64GB and 1TB of data, encrypted to a single key, using an AES-based algorithm. That may not sound like a lot of data, and there are certain cases (For instance, in whole-drive encryption in the algorithms and the methods that are used in that we may see up to 16TB of data encrypted to a single key), but it is necessary to consider the overall quantity of data encrypted to a single key as part of your key rotation schedule.