Skip to main content
purple hex pattern

What is a key management system?

The U.S. National Institute of Standards and Technology (NIST) defines “key management system” and provides best practice recommendations for cryptographic key management in its Special Publication 800-57.

NIST SP 800-57 defines a key management system (KMS) as: “A system for the management of cryptographic keys and their metadata (e.g., generation, distribution, storage, backup, archive, recovery, use, revocation, and destruction). An automated key management system may be used to oversee, automate, and secure the key management process.”

Though encryption is now built into numerous applications, often the encryption only complies with basic capabilities for creating and storing keys, and it’s unable to meet the best practice guidelines for key management detailed in NIST SP 800-57.

As the number of applications using encryption increases, a key management system is essential to ensure the security of the critical cryptographic keys and the data they protect.

What is encryption key management?

Encryption key management addresses the entire lifecycle of cryptographic keys from generation to storing, to protecting, distributing, refreshing, and ultimately destroying keys. Because keys underpin the security of the entire encryption mechanism, it is critical that they have the highest level of protection – a certified hardware security module (HSM).

Learn more about encryption key management.

What is hardware security module (HSM) key management?

The best method for securely managing the life cycle of encryption keys is with a hardware security module. HSM key management is the use of certified, tamper-resistant devices known as hardware security modules, or HSMs, to securely manage the complete life cycle of encryption keys.

Whether deployed on-premises or in the cloud, HSMs provide dedicated cryptographic capabilities and enable the establishment and enforcement of security policies governing the key management process. The use of HSMs is considered a best practice by cybersecurity professionals and regulating authorities for effective management of cryptographic keys.

Learn about our nShield HSMs and the enterprise solutions they enable.

What is a key management server (KMS)?

The widespread adoption of encryption technology by commercial applications led to the proliferation of encryption keys. As organizations struggled to maintain control over their critical keys, the Key Management Interoperability Protocol (KMIP) was created to provide a uniform way to manage cryptographic keys for different applications. To manage keys across KMIP-compliant applications, a KMS provides a mechanism to manage these keys at scale.

Entrust KeyControl is a virtual appliance that provides a KMS for a large range of KMIP-compatible client applications. When combined with an HSM, a KMS enables organizations to manage encryption keys at scale.

Learn about Entrust KeyControl for enterprise key management.

What is the difference between an HSM and KMS?

An HSM provides the hardware root of trust for securely generating, protecting, and using encryption keys. A KMS is used to efficiently manage the entire lifecycle of the keys at scale, and according to compliance standards.

Entrust KeyControl enables enterprises to easily manage all their encryption keys, how often they rotate them, and how they are shared securely with the applications that use them.

Are all encryption keys the same?

No. Just as there are differences between encryption algorithms, there are many differences between encryption keys. Keys can be symmetric or asymmetric, with different uses, and different key sizes.

Regardless of the type, quality keys should always use true random numbers, generated by a FIPS-approved hardware random number generator – a capability typically delivered by certified hardware security modules (HSMs).

Learn what encryption applications and keys are supported by nShield HSMs.

Is enterprise key management possible in the cloud?

Traditionally, robust encryption keys have been developed on-premises using HSMs, but as organizations migrate operations to the cloud, keys can also be generated in the cloud using dedicated cloud-based HSMs.

Cloud-based HSMs, also known as HSMs as a service, provide the same cryptographic functions as on-premises HSMs, but without the need to maintain and host on-premises appliances.

When moving applications and data to the cloud, organizations need to think about how the level of ownership, control, and possession changes from the on-premises model.

Learn about nShield as a Service, our cloud-based HSM solution.