Key Management Best Practices
- Updated On 16 Oct 2020
- 1 Minute To Read
Third party Key Management Service (KMS) integration provides organizations control of master encryption keys external to the SecureCircle Server. The following are best practices when integrating a KMS with SecureCircle.
Redundancy and High Availability
The HSM/KMS and access to it (e.g., network routes) should be highly-available. Master encryption keys should be backed-up/redundant to ensure they can be recovered if the KMS experiences an outage. If the SecureCircle Server is unable to access the KMS, it will be unable to provide encryption/decryption keys for data in Circles using the given KMS in the Key Management policy.
Since the SecureCircle Server uses key derivation to provide per-file encryption keys, external KMS keys can be rotated at any time without triggering a re-encrypt of existing data. New data will be encrypted using keys based on the new master key, while existing data will continue to be able to be decrypted using previous master keys.
The default, built-in KMS allows for key rotation as well by creating a new KMS policy that refers to it, then applying that policy to a Circle
Device File Encryption Key Caching Management
While not directly related to the KMS, derived file encryption keys may be cached on devices with a TTL based on the Key Cache TTL in the Client Configuration policy applied to a Circle. If an organization has requirements (e.g., for compliance) to ensure file encryption keys no longer exist on devices after a certain amount of time, this can be configured using the Key Cache TTL in the Client Configuration policy (independent of the KMS).