Editing Key management (section)

===Key storage===
However distributed, keys must be stored securely to maintain communications security. Security is a big concern<ref name="Crain's New York">{{cite web|title=An ancient technology gets a key makeover|url=http://www.crainsnewyork.com/article/20131120/TECHNOLOGY/131129993/an-ancient-technology-gets-a-key-makeover|website=Crain's New York Business|date=20 November 2013|publisher=Crain's New York|access-date=19 May 2015}}</ref><ref name=":0">{{Cite web|title=Lost in translation: encryption, key management, and real security|url=https://cloud.google.com/blog/products/identity-security/how-encryption-and-key-management-enable-real-security|access-date=2021-09-16|website=Google Cloud Blog|language=en}}</ref> and hence there are various techniques in use to do so. Likely the most common is that an encryption application manages keys for the user and depends on an access password to control use of the key. Likewise, in the case of smartphone keyless access platforms, they keep all identifying door information off mobile phones and servers and encrypt all data, where just like low-tech keys, users give codes only to those they trust.<ref name="Crain's New York"/>

In terms of regulation, there are few that address key storage in depth. "Some contain minimal guidance like 'don’t store keys with encrypted data' or suggest that 'keys should be kept securely.'" The notable exceptions to that are PCI DSS 3.2.1, NIST 800-53 and NIST 800–57.<ref name=":0" />

For optimal security, keys may be stored in a [[Hardware security module|Hardware Security Module]] (HSM) or protected using technologies such as [[Trusted execution environment|Trusted Execution Environment]] (TEE, e.g. [[Intel SGX]]) or [[Multi-party computation|Multi-Party Computation]] (MPC). Additional alternatives include utilizing [[Trusted Platform Module]]s (TPM),<ref>{{Cite book|last1=Gopal|first1=Venkatesh|last2=Fadnavis|first2=Shikha|last3=Coffman|first3=Joel|title=2018 IEEE World Congress on Services (SERVICES) |chapter=Low-Cost Distributed Key Management |date=July 2018|chapter-url=https://ieeexplore.ieee.org/document/8495794|pages=57–58|doi=10.1109/SERVICES.2018.00042|isbn=978-1-5386-7374-4|s2cid=53081136}}</ref> virtual HSMs, aka "Poor Man's Hardware Security Modules" (pmHSM),<ref>{{Cite book|last1=Cifuentes|first1=Francisco|last2=Hevia|first2=Alejandro|last3=Montoto|first3=Francisco|last4=Barros|first4=Tomás|last5=Ramiro|first5=Victor|last6=Bustos-Jiménez|first6=Javier|title=Proceedings of the 9th Latin America Networking Conference |chapter=Poor Man's Hardware Security Module (PMHSM) |date=2016-10-13|chapter-url=https://doi.org/10.1145/2998373.2998452|series=LANC '16|location=Valparaiso, Chile|publisher=Association for Computing Machinery|pages=59–64|doi=10.1145/2998373.2998452|isbn=978-1-4503-4591-0|s2cid=16784459}}</ref> or non-volatile [[Field-programmable gate array|Field-Programmable-Gate-Arrays]] (FPGA) with supporting [[System on a chip|System-on-Chip]] configurations.<ref>{{Cite book|last1=Parrinha|first1=Diogo|last2=Chaves|first2=Ricardo|title=2017 International Conference on ReConFigurable Computing and FPGAs (ReConFig) |chapter=Flexible and low-cost HSM based on non-volatile FPGAs |date=December 2017|chapter-url=https://ieeexplore.ieee.org/document/8279795|pages=1–8|doi=10.1109/RECONFIG.2017.8279795|isbn=978-1-5386-3797-5|s2cid=23673629}}</ref>  In order to verify the integrity of a key stored without compromising its actual value a [[Key checksum value|KCV]] algorithm can be used.