Key management system

Long Vu
3 min readNov 17, 2024

--

We utilize a master key and a key reference system to ensure the security of the key.

Master key

  • The root of the key hierarchy
  • Stored securely in HSM/KMS
  • Used to protect other keys
  • Never leaves secure hardware
  • The foundation of key security system
class MasterKeySystem:
def __init__(self):
self.hsm = HSMClient()

def create_master_key(self):
# Master Key created and stored in HSM
master_key_id = self.hsm.generate_master_key()
return master_key_id

def encrypt_data_key(self, data_key):
# Encrypt actual encryption key using master key
master_key = self.hsm.get_master_key()
encrypted_key = encrypt(data_key, master_key)

# Return reference to encrypted key
return {
'key_id': generate_uuid(),
'encrypted_key': encrypted_key
}
1. Security:
- Actual keys never stored in application/database
- Keys protected by hardware security
- Limited exposure of sensitive key material

2. Management:
- Centralized key control
- Easier key rotation
- Better audit tracking
- Simplified access control

Key Reference

  • Pointer/identifier to encrypted keys
  • Contains metadata about the key
  • Stored in database
  • It doesn’t contain actual key material
  • Used to track and manage keys
class KeyReferenceSystem:
def generate_data_key(self):
# 1. Generate actual data key
data_key = os.urandom(32)

# 2. Encrypt with master key
encrypted_key = self.encrypt_with_master_key(data_key)

# 3. Store reference in database
key_reference = {
'key_id': uuid.uuid4(),
'encrypted_key': encrypted_key,
'created_at': datetime.now(),
'status': 'active'
}

return key_reference

def use_key_reference(self, key_reference):
# 1. Get encrypted key from reference
encrypted_key = key_reference['encrypted_key']

# 2. Decrypt using master key from HSM
data_key = self.decrypt_with_master_key(encrypted_key)

# 3. Use key for operation but never store
return data_key

How it work

1. Key Creation:
Master Key (HSM) → Encrypts Data Key → Store Key Reference

2. Key Usage:
Get Reference → Use Master Key → Decrypt Data Key → Use → Wipe

3. Key Rotation:
New Key → Encrypt with Master → Update Reference → Retire Old
1. Database Encryption:
Master Key → TDE Key → Data Encryption

2. Application Data:
Master Key → Application Keys → Data Keys

3. Storage:
Master Key → Volume Keys → Sector Keys
class EncryptionService:
def encrypt_sensitive_data(self, data):
try:
# 1. Get key reference from database
key_ref = self.db.get_key_reference('active_key')

# 2. Get master key from HSM
master_key = self.hsm.get_master_key()

# 3. Decrypt the data key
data_key = decrypt(
key_ref['encrypted_key'],
master_key
)

# 4. Use data key to encrypt data
encrypted_data = encrypt(data, data_key)

# 5. Clear data key from memory
self.secure_wipe(data_key)

return encrypted_data

except Exception as e:
log.error(f"Encryption failed: {str(e)}")
raise
class KeyRotation:
def rotate_keys(self):
# 1. Generate new data key
new_data_key = os.urandom(32)

# 2. Encrypt with current master key
encrypted_key = self.encrypt_with_master_key(new_data_key)

# 3. Create new reference
new_reference = {
'key_id': uuid.uuid4(),
'encrypted_key': encrypted_key,
'created_at': datetime.now()
}

# 4. Update database
self.update_key_reference(new_reference)

KMS interacts with multiple-layer flow

KMS Tools

  • HashiCorp Vault Enterprise
Strengths:
- Comprehensive key management
- Multi-layer encryption support
- Strong access control
- Excellent integration capabilities
- Auto key rotation
- Dynamic secrets
- API-driven
- High availability
- Disaster recovery

Layer Support:
- Application: ✓ API & SDK support
- Transport: ✓ TLS certificate management
- Database: ✓ Database credential management
- Storage: ✓ Encryption as service
  • Thales CipherTrust Manager
Strengths:
- Enterprise-grade security
- FIPS 140-2 certified
- Comprehensive key lifecycle
- Multi-cloud support
- Centralized management
- Strong compliance features

Layer Support:
- Application: ✓ API integration
- Transport: ✓ SSL/TLS management
- Database: ✓ Database encryption
- Storage: ✓ Storage encryption

For example, Vault interacts with multiple-layer

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

Long Vu
Long Vu

Written by Long Vu

Product builder, Engineering Manager, AI enthusiastic

No responses yet

Write a response