Skip to main content

Thank You

purple hex pattern

Thank You

Thank you for downloading the Multi-Factor Authentication Buyer's Guide.

Digital Onboarding

purple hex pattern

An onboarding experience built for today’s consumer

Offering customers anywhere-anytime onboarding increases engagement with your institution and fosters trust in your brand – while reducing abandonment rates and fraud.

Introducing the Entrust Digital Account Opening Solution

Secure account creation in minutes

With the Entrust Digital Account Opening Solution, you can enable a seamless onboarding process that significantly reduces the time and effort required for customers and members to open deposit accounts. Learn more about our new solution.

The Numbers

of survey respondents said the speed of account opening was important or very important when evaluating a financial institution.

of survey respondents said that when given the option between biometrics and a password, they will choose biometrics more than half the time.

of customers are comfortable with artificial intelligence (AI) helping their bank detect fraud.

Key Features

fingerprint icon

Biometric Identity Verification

Utilizes advanced biometric identity verification technology, eliminating the need for traditional onboarding methods.

file icon

Document Proofing

Employs sophisticated algorithms to authenticate identification documents, automating the verification process.

user with checkmark icon

EKYC & Device Reputation

Performs comprehensive electronic Know Your Customer checks to assess the authenticity and integrity of the customer’s digital identity.

mobile card icon

Digital & Physical Card Issuance

Enables the issuance of both digital and physical payment cards minutes after account creation and approval.

gray globe with checkmark icon

Supports Regulatory Compliance

Fulfills all necessary eKYC and compliance requirements. Generates detailed audit logs and reports.

man on tablet
Solution Set

Integrated identity and issuance experiences

Identity and Issuance Portfolio

Provide your customer secure access to apps, networks, and devices with our leading technology portfolio that enables payment anytime, anywhere, any way.

 

plum checkmark icon

Digital Account Opening

Identity verification and eKYC for faster, safer financial account creation.

Learn More

plum checkmark icon

Identity as a Service

Give the right access to the right people. Learn more about our cloud-based identity and access management (IAM) solution.

View Solution

plum checkmark icon

Digital Card Solution

Instantly provide digital payment credentials from your bank or credit union’s mobile application to a cardholder’s mobile wallet.

Learn More

plum checkmark icon

Digital Signing

Establish trusted identities and ensure authenticity for digital documents, emails, code, and mobile devices.

Learn More

people blurred walking on walkway through buildings
eBook

Enhance Your Customer’s Day-One Experience

Support your digital transformation journey by understanding the need for secure, seamless account creation. Read our ebook to learn the importance of implementing a frictionless user experience that caters to diverse customer preferences while providing top-value security.

Thank You

purple hex pattern

Thank You

Thank you for downloading the Digital Identity Proofing white paper.

ccoe-wp-thank-you

purple hex pattern

Thank You

Thank you for downloading the Defining a Cryptographic Center of Excellence white paper. In it you'll discover what a Cryptographic Center of Excellence (CryptoCoE) is and the elements that go into its design and execution.

Our experts are ready to offer the cryptographic expertise, tools, and best practices you need to gain visibility and develop a strong crypto strategy for your crypto instances and PKI systems.

How to Manage Encryption Keys

purple hex pattern

What are encryption keys?

Encryption keys are alphanumeric codes or sequences of characters that are used, together with an algorithm or mathematical process, to transform plain text data that anyone can read into scrambled cipher text that is unreadable unless decrypted. Encryption keys are used to protect private and sensitive data in storage, in transit, and in use. Encrypted data or cipher text can only be read once it is descrambled with its associated decryption key.

Encryption keys can be symmetric or asymmetric. When a symmetric encryption key is used, the same key is employed to encrypt and then decrypt the data back to readable text. When asymmetric keys are used, one publicly shared key (public key) encrypts the plain text data and a different key, one that is never shared and kept private (private key), is used to decrypt the data. Whether using symmetric or asymmetric encryption, the objective is to maintain the confidentiality of the encrypted data. Even if the encrypted data falls into the wrong hands, the data remains protected. For this reason, protecting the keys is critical – lose the keys, lose the data.

Why is encryption so common today?

Encryption has a long history and has been used over time, particularly in warfare. Early Greeks used transposition ciphers (a type of encryption) to protect information from falling into enemy hands. In modern times, and with the advent of the information age, encryption has become an indispensable tool to protect data and applications. Initially used primarily in banking and financial applications, its adoption has become widespread across the digital transformation space, becoming a mandated requirement in many regulated industries.

Where is encryption used?

Today, encryption has become a best practice, and is used across a wide spectrum of applications and industries. As more and more everyday activities are carried online, ensuring the confidentiality and integrity of these transactions is critical. Banking, finance, e-commerce, e-government, and healthcare are only a few of the many industries that make extensive use of encryption technology. Most people use encryption every day without even knowing. Whenever you make a purchase online, the order and payment information is encrypted with Transport Layer Security/Secure Socket Layer (TLS/SSL) – a widely used standard that employs both symmetric and asymmetric encryption to secure online connections.

When is encryption used?

Encryption is used to protect the confidentiality of information. Organizations processing sensitive data such as their own intellectual property (IP) and data on their clients including personal identifiable information (PII), personal health information (PHI), payment data that has credit card numbers, and other forms of data that are tied to individuals are often required by various jurisdictions around the globe to protect the data. As organizations store more and more sensitive data to carry on their daily business, storage repositories have become major targets for attacks. As a result, both data in transit (traversing networks) and data at rest (in storage) are typically encrypted to protect from attacks that can compromise their confidentiality, cripple business, and compromise the reputation of organizations.

As information has become the engine that powers modern business, data has come to be an important resource. Government and industry regulatory entities around the globe have stepped up enforcement efforts to ensure the protection of data and the privacy of the individual whose data is being collected. The new regulatory environment has made encryption top of mind for organizational leaders including chief information officers (CIOs), chief information security officers (CISOs), and compliance officers across many industries. This has led to encryption being increasingly build into many applications. Because encryption desensitizes the data, it can also de-scope the extent of certain regulations, increasing security and reducing cost.

Why is key management important?

Encryption is an important tool to protect organizations from data breaches that can cause significant economic and reputational damage. However, encryption can only be as good as the degree to which its associated keys are protected. If one thinks of encryption as the lock on your front door, it can only effectively secure your possessions if you adequately protect the key. Leaving the key under your door mat defeats the protection that the lock provides. If one does not protect the encryption keys, there is no point in encrypting the data – find the keys, access the data. Therefore, sound cryptographic key management is essential to ensure the effectiveness of any data encryption scheme.

Encryption key management includes two main aspects: lifecycle management and access management. Lifecycle management involves the generation, use, storage, update, archive, and destruction of critical cryptographic keys. Access management ensures that only authenticated and authorized users can utilize the keys to encrypt and decrypt the data. It is important to highlight that users today include both humans as well as applications (machines). In fact, more machines typically need access to data than real people. To enable authentication and authorization of users, people and machine identities need to be issued for subsequent validation. This is where a public key infrastructure (PKI) also becomes part of a comprehensive key management strategy.

What makes a good key?

The quality of a cryptographic key is measured by the degree to which it can be defeated by brute force. Like passwords that need to be strong and not be easily guessed, keys need to also be strong, developed using true random number generators. The Federal Information Processing Standards (FIPS) provide guidance on the use of approved hardware-based random number generators. These are typically delivered by certified hardware security modules (HSMs) - dedicated platforms that generate and manage strong keys throughout their lifecycle. While HSMs have traditionally been deployed on-premises, migration to the cloud has also made HSMs available as a subscription-based service. Cloud-based HSMs deliver dedicated hardware platforms as a service for customers to generate and manage keys without the need to buy and maintain their own equipment. When moving applications and data to the cloud, organizations need to think about how the level of ownership, control and possession changes to ensure a strong security posture across the expanding computing ecosystem.

Why do cryptographic keys need protection?

Keys, whether used for encryption to protect the confidentiality of data or for signature to protect its provenance and integrity, underpin the security of the cryptographic process. No matter how strong the algorithm used to encrypt or sign the data, if the associated key is compromised, the security of the process is defeated. For this reason, protecting cryptographic keys is of critical importance.

Because of the random nature of keys that we described earlier, the location of keys in software can be somewhat easy to identify. Attackers looking for sensitive data will go after the keys, as they know that if they get the keys, they can get the data. Keys stored in software can therefore be located and obtained, putting in danger the security of the encrypted data. For this reason, HSMs should always be used to protect keys. The use of HSMs as a root of trust has become a best practice in the cybersecurity industry, recommended by security professionals and many leading application vendors.

Another factor to take into consideration for protecting keys is not only access from external attackers, but also from insiders. The use of HSMs to protect and manage keys provides mechanisms to establish dual controls, so no single internal individual or entity can change key use policies and effectively subvert established security mechanisms. Quorum schemes where a pre-determined minimum set of individuals must come together to affect any changes to the HSM and its key management functions also provides enhanced levels of security.

What does a key management system provide?

A key management system provides the underpinning centralized root of trust necessary to enforce the data security policy across an organization. Controlling not only the lifecycle of all keys, but also maintaining timestamped logs of all user access, it provides a vital tool for auditing and compliance. With increasing cybersecurity threats and growing government and industry regulations, key management systems are becoming indispensable.

Why is key management important for regulatory compliance?

A growing number of government and industry data security regulations require strong encryption and effective cryptographic key management for compliance. Citizen privacy laws such as the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as industry regulations such as the Payment Card Industry Data Security Standard (PCI DSS) among others specifically recognize the need for strong encryption and key management, including the use of certified products to facilitate compliance.

What are the Best Enterprise Key Management Strategies?

purple hex pattern

What is a key management system?

The U.S. National Institute of Standards and Technology (NIST) defines “key management system” and provides best practice recommendations for cryptographic key management in its Special Publication 800-57.

NIST SP 800-57 defines a key management system (KMS) as: “A system for the management of cryptographic keys and their metadata (e.g., generation, distribution, storage, backup, archive, recovery, use, revocation, and destruction). An automated key management system may be used to oversee, automate, and secure the key management process.”

Though encryption is now built into numerous applications, often the encryption only complies with basic capabilities for creating and storing keys, and it’s unable to meet the best practice guidelines for key management detailed in NIST SP 800-57.

As the number of applications using encryption increases, a key management system is essential to ensure the security of the critical cryptographic keys and the data they protect.

What is encryption key management?

Encryption key management addresses the entire lifecycle of cryptographic keys from generation to storing, to protecting, distributing, refreshing, and ultimately destroying keys. Because keys underpin the security of the entire encryption mechanism, it is critical that they have the highest level of protection – a certified hardware security module (HSM).

Learn more about encryption key management.

What is hardware security module (HSM) key management?

The best method for securely managing the life cycle of encryption keys is with a hardware security module. HSM key management is the use of certified, tamper-resistant devices known as hardware security modules, or HSMs, to securely manage the complete life cycle of encryption keys.

Whether deployed on-premises or in the cloud, HSMs provide dedicated cryptographic capabilities and enable the establishment and enforcement of security policies governing the key management process. The use of HSMs is considered a best practice by cybersecurity professionals and regulating authorities for effective management of cryptographic keys.

Learn about our nShield HSMs and the enterprise solutions they enable.

What is a key management server (KMS)?

The widespread adoption of encryption technology by commercial applications led to the proliferation of encryption keys. As organizations struggled to maintain control over their critical keys, the Key Management Interoperability Protocol (KMIP) was created to provide a uniform way to manage cryptographic keys for different applications. To manage keys across KMIP-compliant applications, a KMS provides a mechanism to manage these keys at scale.

Entrust KeyControl is a virtual appliance that provides a KMS for a large range of KMIP-compatible client applications. When combined with an HSM, a KMS enables organizations to manage encryption keys at scale.

Learn about Entrust KeyControl for enterprise key management.

What is the difference between an HSM and KMS?

An HSM provides the hardware root of trust for securely generating, protecting, and using encryption keys. A KMS is used to efficiently manage the entire lifecycle of the keys at scale, and according to compliance standards.

Entrust KeyControl enables enterprises to easily manage all their encryption keys, how often they rotate them, and how they are shared securely with the applications that use them.

Are all encryption keys the same?

No. Just as there are differences between encryption algorithms, there are many differences between encryption keys. Keys can be symmetric or asymmetric, with different uses, and different key sizes.

Regardless of the type, quality keys should always use true random numbers, generated by a FIPS-approved hardware random number generator – a capability typically delivered by certified hardware security modules (HSMs).

Learn what encryption applications and keys are supported by nShield HSMs.

Is enterprise key management possible in the cloud?

Traditionally, robust encryption keys have been developed on-premises using HSMs, but as organizations migrate operations to the cloud, keys can also be generated in the cloud using dedicated cloud-based HSMs.

Cloud-based HSMs, also known as HSMs as a service, provide the same cryptographic functions as on-premises HSMs, but without the need to maintain and host on-premises appliances.

When moving applications and data to the cloud, organizations need to think about how the level of ownership, control, and possession changes from the on-premises model.

Learn about nShield as a Service, our cloud-based HSM solution.

What is encryption key management?

purple hex pattern

Encryption keys are a bedrock concept in cryptography. If they’re not well-protected, you risk exposing your sensitive data resources to unauthorized access and exposure.

Read on to learn all you need to know about encryption key management, including what it is, why it’s important, and how you can improve your cryptographic ecosystem today.

What is encryption key management?

Encryption key management refers to the policies and procedures for generating, distributing, storing, organizing, and protecting cryptographic keys.

In short, a cryptographic key is a data string. That string contains random characters in a particular order. Each one is paired with a cryptographic algorithm, which is a mathematical formula that serves a certain purpose, such as generating a digital signature for authentication. However, most keys are used for encryption.

What is encryption?

Encryption is a cryptographic operation that converts plaintext into ciphertext, thereby securing sensitive data and rendering it unreadable. The encrypted data can only be made readable again if the entity attempting to access the information has the requisite cryptographic keys to decode the ciphertext. This inverse process is what’s known as decryption.

In cryptography, there are two main types of encryption keys: symmetric and asymmetric.

  • Symmetric key encryption uses the same master key for data encryption and decryption. Both parties share the same symmetric key, which means they’re responsible for keeping it secret. Although it’s faster than asymmetric cryptography, it’s much less secure because anyone who gets a hold of the master key can access the information. 
  • Asymmetric key encryption, also known as public key encryption, uses a system called “public key infrastructure” (PKI), which involves two mathematically linked encryption keys. The public key encrypts data and can be freely distributed, while the private key must be kept secret. It’s a longer process but offers much stronger data protection, as you need both to decrypt the message.

For more information, check out our comprehensive guide to encryption.

What secrets management?

Secrets management is a discipline that involves securely storing, accessing, and managing digital authentication credentials — otherwise known as “secrets.”

The name refers to the types of sensitive information organizations must keep confidential because they permit or protect access to critical IT resources, such as computers, databases, or cloud applications. In addition to encryption keys, secrets can include:

  • Passwords
  • Application programming interface (API) keys
  • Secure Shell (SSH) keys
  • Open Authorization (OAuth) tokens
  • Private certificates

How is this different from encryption key management? Think of managing secrets as a broader practice encompassing a wider range of information. Both are critical to data security and overlap to a degree, but key management is specifically focused on protecting encryption keys throughout their lifecycle.

Why is key management important?

Encryption is a vital asset in enterprise data security. By obscuring and scrambling sensitive data, it protects organizations from economic and reputational damage, not to mention legal and regulatory trouble. However, encryption is only as good as the degree to which its associated keys are protected.

Consider encryption the lock on your front door. It’s made to protect your prized possessions, but it can only do so if you adequately protect the key. For example, leaving the key under your doormat defeats the protection your lock provides.

Bottom line: There’s no point encrypting data if you don’t secure the encryption keys. They underpin the entire process, which is why key management is an absolute must-have for any enterprise.

Challenges of encryption key management

Unfortunately, many organizations have trouble keeping their cryptographic keys in check. It’s not uncommon for hackers to get ahold of them — and in turn, access to sensitive information systems.

For example, in July 2023 a China-backed cybercrime group stole a cryptographic key from Microsoft. This allowed them to access Outlook email systems for 25 organizations, including U.S. government agencies. The company later disclosed a series of oversights that led to the breach.

Indeed, managing keys is a complicated endeavor for several reasons:

  • Manual processes are prone to error and can result in devastating consequences.
  • Attackers who gain control of a key management system can issue credentials that make them an insider, potentially with privileges to access systems undetected.
  • Compromised key management processes result in the need to reissue credentials, which can be an expensive and time-consuming process — especially if you’re working by hand.
  • Credential validation rates can vary enormously and can easily outpace the performance characteristics of a key management system, risking business continuity.
  • Business application owners’ expectations around security and trust models are rising and can expose credential management as a weak link that may jeopardize compliance claims.

How does key management work?

Effective key management involves two primary components:

  • Lifecycle management: Creating, maintaining, protecting, and deleting cryptographic keys.
  • Access management: Ensuring that only authenticated and authorized users or machines can use keys to encrypt or decrypt data.

Lifecycle management

Keys have a lifecycle. They’re born, live to fulfill a purpose, and eventually, they retire. It seems simple, but in reality, the process is a bit more nuanced.

The exact order of the encryption key lifecycle can change depending on the situation. In some cases, you might skip phases entirely. Nonetheless, the basic progression works like this:

  • Key generation: First, a key generator, or keygen, uses an encryption algorithm to create a new key. The most important part of key generation is ensuring it’s made using truly randomized numbers. Otherwise, it’s a lot easier for hackers to crack.
  • Key registration: Before a key becomes useful, it must be registered to a user, system, application, or policy. This associates it with the intended purpose and owner.
  • Key storage: Next, you must store the key for safety and easy access. Ideally, you should store it somewhere far away from the data it’s made to protect. It’s best to keep operational keys in an encrypted environment for added security.
  • Key distribution: Once a key is ready for use, it must be securely transferred. A key management system facilitates this process, ensuring only authorized entities can access the key.
  • Key usage: When keys are active and operational, it’s best to limit their use to just one purpose. Using the same key for two different cryptographic processes can weaken security. Likewise, key management software can help organizations monitor key usage and ensure they’re utilized appropriately.
  • Key rotation: Regularly updating keys is essential for maintaining security. Key rotation involves replacing old keys with new ones to minimize the risk of compromise.
  • Key revocation: At the end of the cycle, keys no longer needed or have been compromised should be disabled and promptly deleted. This prevents unauthorized access to sensitive data and eliminates the risk of old, outdated keys from falling into the wrong hands.

Access management

It’s often difficult for organizations to monitor cryptographic keys and which users or machines have access to them. Sometimes, it’s even harder to pinpoint circumstances when permissions are too lenient or if keys are compromised.

That’s where centralized key management software comes into play. With comprehensive control over your encryption keys, you can manage access control policies on a more granular level. Moreover, you can identify potential incidents and revoke keys before it’s too late.

What is a hardware security module?

A hardware security module (HSM) is a physical device that securely generates, stores, and manages encryption keys. HSMs provide tamper-resistant protection and are considered the most secure way to store keys. They enable your enterprise to:

  • Establish a robust root of trust protecting the keys that encrypt your organization's secret credentials. 
  • Secure token signing keys within carefully designed cryptographic boundaries, employing robust access control mechanisms with enforced separation of duties to ensure that keys are only used by authorized entities.
  • Ensure availability by using sophisticated key management, storage, and redundancy features.
  • Deliver high performance to support increasingly demanding enterprise requirements for access to resources from different devices and locations.

What is Bring Your Own Key (BYOK)?

Bring Your Own Key allows enterprises to generate strong keys in a tamper-resistant hardware security module and securely export them to the cloud, thereby strengthening data protection and retaining control and management of their encryption keys.

BYOK has emerged as an essential capability in the era of cloud computing. As organizations increasingly migrate applications, workloads, and data to the cloud, the question of how to manage the keys protecting these resources has garnered much debate.

While some enterprises are content allowing cloud service providers (CSPs) to generate and manage cryptographic keys for them, others might feel it’s at odds with their security policies. Typically, data physically resides with the CSP and out of the organization’s direct control. Encryption protects the data in the cloud, and to ensure its confidentiality and integrity, securing the encryption keys is of paramount importance.

The good news? BYOK is the ideal solution. It enables public cloud users to generate their own high-quality master key locally on-premises and transfer it to their CSP to protect their data. In turn, they gain:

  • Flexibility, convenience, and cost-efficiency
  • Stronger protection for sensitive data applications
  • Fully visibility over key usage in the cloud

Secure key management with Entrust KeyControl

Encryption keys are pivotal to your enterprise security strategy, but keeping them safe is easier said than done. That’s why we designed Entrust KeyControl — a comprehensive key management and compliance platform.

As an end-to-end solution, KeyControl helps you manage, monitor, and control cryptographic keys throughout their lifecycle. It combines the power of centralized key management with the high-assurance security of a decentralized vault-based architecture.

That means you gain all the benefits of having rich visibility over your cryptographic keys without confining them to a single repository. Instead of putting all your eggs in one basket, your assets are distributed according to your needs.

And, with our Entrust nShield HSMs, KeyControl allows you to securely generate keys and enhance security through a strong root of trust.

If you’d like to explore what KeyControl has to offer, check out all the ways it can help your enterprise protect keys at scale.

Want to learn more about key management? Read our latest eBook.