Manage Encryption Keys

 

Next Steps
Overview Algorithms Format Preserving Encryption Hashing Key Management

Challenges


Every encrypted data item can only be decrypted with an encryption key. Managing key access and storage is, therefore, important; but it can also be challenging.

Mislaid keys can mean valuable data loss. Thousands of items may be protected by different algorithms and keys. Stolen keys can result in data breach and misuse.

Solutions


The IRI FieldShield and IRI DarkShield data masking tools in the IRI Data Protector suite and IRI Voracity platform provide several ways to manage encryption keys. One way is to specify the keys directly within each field encryption or decryption specification.

This is consistent with this Gary Palgon's advice:

"Centralize key management with distributed execution. A solution that employs a hub-and-spoke architecture for distributed key management allows encryption and decryption nodes to exist at any point within the enterprise network. Spoke key-management components are easily deployed to those nodes and integrated with the local encryption applications. Once the spoke components are active, all encryption and decryption of the formerly clear text data is performed locally to minimize the risk of a network or single component failure having a large impact on overall data security."

- Enterprise System Journal

Other ways include: specifying them in a hidden and/or secure key file, through an environment variable, or by using a public/private key pair system.

You can also work with IRI to integrate your key provisioning or storage appliance to these methods. The example below shows the use of FieldShield with encryption keys stored in the Azure Key Vault. You can also manage these keys in Alliance Key Manager from Townsend Security to leverage its HSM and other advanced features.

RowGen in Workbench


See also

Blog > Data Masking > Encryption Key Management

Blog > Data Masking > Securing FieldShield Passphrases in Azure Key Vault

Blog > Data Masking > Securing FieldShield Encryption Keys with Alliance Key Manager

Frequently Asked Questions (FAQs)

1. What is encryption key management and why is it important?
Encryption key management involves securely generating, storing, distributing, and retiring encryption keys used to protect sensitive data. Without proper key management, encrypted data may become inaccessible or vulnerable to breaches.
2. How does poor key management affect data security?
If encryption keys are lost, the encrypted data becomes unrecoverable. If keys are stolen or mismanaged, attackers may gain unauthorized access to sensitive data, defeating the purpose of encryption.
3. What key management methods are supported by IRI?
IRI supports several methods for managing encryption keys, including embedding keys directly in job scripts, referencing secure key files, using environment variables, or leveraging public/private key pairs.
4. How does IRI support decentralized key management?
IRI tools like FieldShield and DarkShield support a distributed key management model. Keys can be managed and executed locally at endpoints (spokes) while still centrally administered (hub), reducing risks of centralized failure.
5. Can IRI encryption tools integrate with third-party key vaults?
Yes. IRI tools can integrate with external key management solutions like Microsoft Azure Key Vault and Alliance Key Manager from Townsend Security to support HSMs and other secure key lifecycle operations.
6. How does hub-and-spoke key architecture enhance security?
Hub-and-spoke architecture allows encryption and decryption to occur locally with spoke components, minimizing exposure to network-based risks and ensuring operations can continue even if the central system fails.
7. What are the benefits of using environment variables for key storage?
Using environment variables keeps encryption keys out of source code and job scripts. This method provides a layer of abstraction and can enhance security when combined with access control measures.
8. Can I use different encryption keys for different fields?
Yes. IRI tools allow field-level encryption using unique keys per field or dataset, providing granular control and minimizing the impact if a single key is compromised.
9. What happens if an encryption key is lost?
If a key is lost and no backup exists, the encrypted data cannot be decrypted. This is why secure key management and redundancy strategies are critical to any data protection implementation.
10. How can IRI help with enterprise key provisioning integration?
IRI offers support for integrating enterprise key provisioning systems or storage appliances into its encryption workflows, enabling seamless use of existing key infrastructures within FieldShield and other tools.
Share this page

Request More Information

Live Chat

* indicates a required field.
IRI does NOT share your information.