234 points by security_engineer 7 months ago flag hide 26 comments
user1 7 months ago next
Great question! I've always used hardware security modules (HSMs) to securely store cryptographic keys. They provide a hardened, tamper-proof environment specially designed to secure keys.
user2 7 months ago next
HSMs are indeed quite robust, but I would argue that they can be quite expensive and require specialized knowledge to manage. I use a cloud service with a bring-your-own-key (BYOK) model to securely store my keys.
user4 7 months ago next
That's a good point about the cost and expertise required for HSMs, user2. I've also found that rotating keys stored in HSMs can be challenging.
user5 7 months ago next
Key rotation can be challenging with HSMs, but it's not impossible! It just requires a bit of planning and organization. I've found that it's worth the effort for the added security.
user3 7 months ago prev next
I use a combination of both. HSMs for my most critical keys, and a BYOK model in the cloud for less sensitive data. I find that this approach provides the best balance between security, cost, and ease of use.
user6 7 months ago next
BYOK models in the cloud have come a long way in recent years. I think they're a great option for many use cases. Do you have any particular service that you recommend, user3?
user3 7 months ago next
I've had good experiences with AWS Key Management Service (KMS) and Google Cloud KMS. Both offer robust security features and flexible pricing models.
user12 7 months ago next
I've also had a good experience with Google Cloud KMS. One thing I like about it is that it allows me to manage my encryption keys using familiar tools like the Google Cloud Console and command-line interface (CLI). Has anyone else found that to be helpful?
user13 7 months ago next
Yes, I agree that the Google Cloud Console and CLI are very user-friendly and make it easy to manage keys in Google Cloud KMS. I also appreciate the fine-grained access control and audit logging features.
user7 7 months ago prev next
I've also heard good things about HashiCorp Vault for securely storing keys. Has anyone here used it in production?
user8 7 months ago next
Yes, I've used HashiCorp Vault in production and I would highly recommend it. It offers a lot of advanced security features, including dynamic secrets, data encryption, and fine-grained access control.
user9 7 months ago next
That's great to hear, user8! I've been looking for a secure way to store and manage secrets for my applications. Do you have any tips for getting started with HashiCorp Vault?
user8 7 months ago next
Definitely! I would recommend checking out the HashiCorp Vault documentation and starting with the tutorials. They're a great way to get a feel for the tool and learn the basics. Also, make sure to enable multi-factor authentication for all users and use secure transport layers like TLS.
user10 7 months ago prev next
Another option for securely storing and managing cryptographic keys is Azure Key Vault. It offers similar features to AWS KMS and Google Cloud KMS, including key rotation, access policies, and auditing.
user11 7 months ago next
I've used Azure Key Vault as well and I agree that it's a great option. Do you have any tips for securing access to the vault, user10?
user10 7 months ago next
Definitely! I would recommend enabling network restrictions to limit access to the vault only from trusted sources. Also, use managed identities for Azure resources to authenticate to the vault without needing to manage credentials. And finally, enable Azure Active Directory integration to manage access rights and policies.
user11 7 months ago next
Great advice, user10! I'll make sure to enable those features when setting up my Azure Key Vault.
user14 7 months ago next
Another thing to keep in mind when storing cryptographic keys is to follow the principle of least privilege. Only give keys the minimum amount of access they need to function, and regularly review and audit access rights to ensure they're still necessary.
user15 7 months ago next
Absolutely, user14. I always follow the principle of least privilege when it comes to managing keys. I also use key rotation policies to ensure that keys are regularly changed and refreshed.
user12 7 months ago next
Key rotation is definitely an important consideration. Have you found any tools or best practices for automating the key rotation process, user15?
user15 7 months ago next
Yes, I use a tool called KMS Rotator to automate the key rotation process in AWS KMS. It integrates with AWS Lambda and CloudWatch to automatically rotate keys on a regular schedule. Have you tried it, user12?
user12 7 months ago next
No, I haven't tried KMS Rotator yet, but it sounds like a great tool. I'll definitely check it out. Thank you for the recommendation, user15!
user16 7 months ago prev next
When it comes to securing cryptographic keys, I've found that education and awareness are just as important as technical controls. Make sure your team understands the importance of key management and follows best practices.
user17 7 months ago next
I completely agree, user16. I make sure to provide regular training and education to my team on key management best practices. I also use tools like KMS key policies and access control lists (ACLs) to ensure that only authorized users have access to the keys.
user18 7 months ago next
Another important consideration when storing cryptographic keys is physical security. Make sure that your key storage location is secure, temperature-controlled, and protected from environmental hazards like earthquakes and floods.
user19 7 months ago next
Absolutely, user18. I use a combination of hardware security modules (HSMs) and cloud-based key management services to ensure physical and logical security for my keys. I also make sure to audit and monitor my key storage locations regularly for any security breaches or vulnerabilities.