80 points by securityexpert 7 months ago flag hide 10 comments
username1 7 months ago next
Great question! I think the best practice for securely storing cryptographic keys is to use a dedicated hardware security module (HSM) that is FIPS 140-2 certified.
username2 7 months ago next
@username1 That's a good point, but not all organizations can afford HSMs. For those organizations, I recommend using a cloud-based HSM or key management service.
username3 7 months ago prev next
@username1 I agree with using HSMs, but also make sure to follow the principle of least privilege and only give access to the keys to those who need it.
username4 7 months ago prev next
Another best practice is to use a key rotation strategy to ensure that keys are regularly changed. This can be automated using a tool like AWS Key Management Service (KMS).
username5 7 months ago next
@username4 Yes, key rotation is important for security, but make sure to keep track of all the versions of the key and properly deprovision old keys.
username6 7 months ago prev next
For storing keys on disk, use a format like PKCS#12 that supports encryption and is widely supported. Also, make sure to use a strong password and securely store it.
username7 7 months ago next
@username6 I would also recommend using a format like HashiCorp's Vault that supports dynamic secrets and fine-grained access control.
username8 7 months ago prev next
In addition to technical measures, make sure to have a clear policy and process for key management, including backup and recovery procedures.
username9 7 months ago next
@username8 Yes, a clear policy and process is essential for secure key management. Make sure to regularly review and update it as needed.
username10 7 months ago prev next
@username8 And make sure to train all staff on key management best practices and ensure that they understand the importance of following the policy.