Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Key management
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Management and compliance systems== ===Key management system=== A ''key management system'' (KMS), also known as a ''cryptographic key management system'' (CKMS) or ''enterprise key management system'' (EKMS), is an integrated approach for generating, distributing and managing [[Key (cryptography)|cryptographic keys]] for devices and applications. They may cover all aspects of security - from the secure generation of keys over the secure exchange of keys up to secure key handling and storage on the client. Thus, a KMS includes the backend functionality for [[key generation]], distribution, and replacement as well as the client functionality for injecting keys, storing and managing keys on devices. ===Standards-based key management=== Many specific applications have developed their own key management systems with home grown protocols. However, as systems become more interconnected keys need to be shared between those different systems. To facilitate this, key management standards have evolved to define the protocols used to manage and exchange cryptographic keys and related information. ===Key Management Interoperability Protocol (KMIP)=== {{Main|Key Management Interoperability Protocol (KMIP)}} KMIP is an extensible key management protocol that has been developed by many organizations working within the [[OASIS (organization)|OASIS standards body]]. The first version was released in 2010, and it has been further developed by an active technical committee. The protocol allows for the creation of keys and their distribution among disparate software systems that need to utilize them. It covers the full key life cycle of both symmetric and asymmetric keys in a variety of formats, the wrapping of keys, provisioning schemes, and cryptographic operations as well as meta data associated with the keys. The protocol is backed by an extensive series of test cases, and interoperability testing is performed between compliant systems each year. <gallery mode="packed" heights="200px" class="center"> File:KMIP Tests Performed 2017 B.png|Individual interoperability tests performed by each server/client vendor combination since 2012 File:KMIPServerTestResults2017-B.png|Results of 2017 OASIS KMIP interoperability testing </gallery> A list of some 80 products that conform to the KMIP standard can be found on [https://wiki.oasis-open.org/kmip/KnownKMIPImplementations the OASIS website]. ====Closed source==== {{columns-list|colwidth=30em| * Bloombase KeyCastle <ref name="bloombase.com">{{Cite web|url=https://www.bloombase.com/products/keycastle|title = Bloombase KeyCastle - Enterprise Key Life-Cycle Management - Bloombase - Intelligent Storage Firewall}}</ref> * Cryptsoft KMIP C and Java Servers<ref>{{cite web|url=http://www.cryptsoft.com/KMIP/ |title=Cryptsoft |publisher=Cryptsoft |access-date=2013-08-06}}</ref> * Fornetix Key Orchestration<ref>{{cite web | url=http://fornetix.com/products/ | title=VaultCore - Encryption Key Management Platform | Fornetix | date=29 August 2019 }}</ref> * Fortanix Data Security Manager<ref>{{cite web|url=https://www.fortanix.com/products/data-security-manager/saas |title=Fortanix Data Security Manager |publisher=Fortanix |access-date=2022-06-02}}</ref> * [[Futurex]] Key Management<ref>{{cite web|url=http://www.futurex.com/products/category/key-management-servers |title=Futurex Key Management Servers |publisher=Futurex.com |access-date=2016-08-18}}</ref> * Gazzang zTrustee<ref>{{cite web |url=http://www.gazzang.com/products/ztrustee |title=Gazzang zTrustee |publisher=Gazzang.com |date= |access-date=2013-08-06 |archive-date=2014-08-07 |archive-url=https://web.archive.org/web/20140807021143/http://www.gazzang.com/products/ztrustee |url-status=dead }}</ref> * HP Enterprise Secure Key Manager<ref>{{cite web |url=http://h17007.www1.hp.com/us/en/products/network-security/HP_Enterprise_Secure_Key_Manager/index.aspx?jumpid=reg_r1002_usen |archive-url=https://archive.today/20120710061028/http://h17007.www1.hp.com/us/en/products/network-security/HP_Enterprise_Secure_Key_Manager/index.aspx?jumpid=reg_r1002_usen |url-status=dead |archive-date=2012-07-10 |title=Data Encryption - Enterprise Secure Key Manager | HP® Official Site |publisher=H17007.www1.hp.com |access-date=2013-08-06 }}</ref> * IBM Distributed Key Management System (DKMS)<ref>{{cite web|url=http://www-03.ibm.com/security/cccc/products/dkms.shtml |archive-url=https://web.archive.org/web/20111013194102/http://www-03.ibm.com/security/cccc/products/dkms.shtml |url-status=dead |archive-date=October 13, 2011 |title=IBM Enterprise Key Management Foundation (EKMF) |publisher=03.ibm.com |access-date=2013-08-06}}</ref> * IBM Enterprise Key Management Foundation<ref>{{cite web|url=http://public.dhe.ibm.com/common/ssi/ecm/en/zss03081usen/ZSS03081USEN.PDF |title=IBM Enterprise Key Management Foundation |access-date=2013-02-08 |url-status=dead |archive-url=https://web.archive.org/web/20141229083247/http://public.dhe.ibm.com/common/ssi/ecm/en/zss03081usen/ZSS03081USEN.PDF |archive-date=2014-12-29 }}</ref> * IBM Security Key Lifecycle Manager<ref>{{cite book|url=https://books.google.com/books?id=n5_ODQAAQBAJ&q=IBM+Security+Key+Lifecycle+Manager+Tivoli&pg=PA28 |title=Data-at-rest Encryption for the IBM Spectrum Accelerate Famil |date= 2016-12-28|access-date=2017-06-12|isbn=9780738455839 |last1=Fridli |first1=Roman |last2=Greenfield |first2=Andrew |last3=Dufrasne |first3=Bert |last4=Redbooks |first4=I.B.M. }}</ref> * [https://www.ibm.com/cloud/hyper-protect-crypto/ IBM Cloud Hyper Protect Crypto Services]<ref>{{cite web|url=https://cloud.ibm.com/docs/hs-crypto?topic=hs-crypto-get-started |title=Getting started with IBM Cloud Hyper Protect Crypto Services|date=4 June 2024 }}</ref> * Oracle Key Vault <ref>{{cite web|url=http://www.oracle.com/technetwork/database/options/key-management/overview/index.html |title=Key Manager | Database|publisher=Oracle |access-date=2018-08-28}}</ref> * Oracle Key Manager<ref>{{cite web|url=http://www.oracle.com/us/products/servers-storage/storage/storage-software/oracle-key-manager/overview/index.html |title=Key Manager | Storage |publisher=Oracle |access-date=2013-08-06}}</ref> * P6R KMIP Client SDK<ref>{{cite web|url=https://www.p6r.com/software/skc.html |title=P6R |publisher=P6R |access-date=2015-05-11}}</ref> * [[QuintessenceLabs]] qCrypt Key and Policy Manager<ref>{{cite web |url=http://www.quintessencelabs.com/products/qcrypt-and-qcrypt-xstream/ |title=qCrypt |publisher=Quintessencelabs.com |access-date=2016-04-01 |archive-date=2015-10-02 |archive-url=https://web.archive.org/web/20151002205158/http://www.quintessencelabs.com/products/qcrypt-and-qcrypt-xstream/ |url-status=dead }}</ref> * RSA Data Protection Manager<ref>{{cite web|url=http://www.emc.com/security/rsa-data-protection-manager.htm |title=RSA Data Protection Manager - Data Encryption, Key Management |publisher=EMC |date=2013-04-18 |access-date=2013-08-06}}</ref> * [https://safenet.gemalto.com/data-encryption/enterprise-key-management/key-secure/ Gemalto’s SafeNet KeySecure]<ref>{{cite web|url=https://safenet.gemalto.com/data-encryption/enterprise-key-management/key-secure/ |title=Cryptographic Key Management System - Gemalto's SafeNet KeySecure |publisher=Safenet.Gemalto.com |access-date=2013-08-06}}</ref> * Thales Key Management<ref>{{cite web |url=http://www.thales-esecurity.com/Products/Key%20Management%20Tools.aspx |title=Key Management: keyAuthority - a proven solution for centralizing key management |publisher=Thales-esecurity.com |access-date=2013-08-06 |archive-date=2012-09-10 |archive-url=https://web.archive.org/web/20120910080404/http://www.thales-esecurity.com/Products/Key%20Management%20Tools.aspx |url-status=dead }}</ref> * Townsend Security Alliance Key Manager<ref>{{cite web |url=http://townsendsecurity.com/products/encryption-key-management |title=Encryption Key Management | Encryption Key Management, Cloud Security, Data Protection |publisher=Townsendsecurity.com |access-date=2013-08-06 |archive-date=2016-03-04 |archive-url=https://web.archive.org/web/20160304104817/http://townsendsecurity.com/products/encryption-key-management |url-status=dead }}</ref> * [[Venafi]] Trust Protection Platform<ref>{{cite web |url=https://www.venafi.com/what-we-do/ |title=What We do – Venafi |access-date=2014-09-27 |url-status=dead |archive-url=https://web.archive.org/web/20140711185846/http://www.venafi.com/what-we-do/ |archive-date=2014-07-11 }}</ref> * [[Vormetric]] Data Security Platform<ref>{{cite web |url=http://www.vormetric.com/products/vormetric-key-management |title=Vormetric Data Security Platform |publisher=Vormetric.com |access-date=2015-12-15 |archive-date=2016-04-10 |archive-url=https://web.archive.org/web/20160410002751/http://www.vormetric.com/products/vormetric-key-management |url-status=dead }}</ref> }} ===Non-KMIP-compliant key management=== ====Open source==== * Barbican, the OpenStack security API.<ref>{{Cite web|url=https://wiki.openstack.org/wiki/Barbican|title = Barbican - OpenStack}}</ref> * KeyBox - web-based SSH access and key management.<ref>[http://sshkeybox.com/ SSHKeyBox - Services and Products]</ref> * EPKS - Echo Public Key Share, system to share encryption keys online in a p2p community.<ref>{{Cite web |url=https://en.wikibooks.org/wiki/Big_Seven_Study |title=Big Seven Crypto Study - Wikibooks, open books for an open world |access-date=2016-07-16 |archive-date=2016-08-09 |archive-url=https://web.archive.org/web/20160809235221/https://en.wikibooks.org/wiki/Big_Seven_Study |url-status=dead }}</ref> * Kmc-Subset137<ref>{{cite web |title= KMC-Subject137 Library Project |url=http://www.kmc-subset137.eu/ |website=KMC-Subset137 Project |access-date=14 July 2024}}</ref> - key management system implementing UNISIG Subset-137 <ref>{{Cite web | url=http://www.era.europa.eu/Document-Register/Documents/SUBSET-137%20v100.pdf | title=On-line Key Management FFFIS | archive-url=https://web.archive.org/web/20180727110424/http://www.era.europa.eu/Document-Register/Documents/SUBSET-137%20v100.pdf | archive-date=2018-07-27}}</ref> for [[ERTMS]]/[[ETCS]] railway application. * [[privacyIDEA]] - two factor management with support for managing SSH keys.<ref>[http://privacyidea.org Authentication System privacyIDEA]</ref> * StrongKey - open source, last updated on SourceForge in 2016.<ref>{{Cite web|url=http://sourceforge.net/projects/strongkey/|title=StrongKey|date=6 April 2016 }}</ref> There is no more maintenance on this project according to its home page. * Vault - secret server from [[HashiCorp]].<ref>[http://vaultproject.io/ Manage secrets and protect sensitive data with Vault]</ref> * [https://nucypher.com/ NuCypher] * [https://secrethub.io/ SecretHub] - end-to-end encrypted SaaS key management * [https://infisical.com/ Infisical] - end-to-end open-source secret management platform. ====Closed source==== * Amazon Web Service (AWS) Key Management Service (KMS) <ref>{{cite web | url=https://aws.amazon.com/kms/ | title=Key Management Service (AWS KMS) - Amazon Web Services (AWS) }}</ref> * Bell ID Key Manager<ref>{{cite web |url=http://www.bellid.com/products/key-manager |title=Key Management System |publisher=Bell ID |access-date=2014-01-17 |url-status=dead |archive-url=https://archive.today/20140117141733/http://www.bellid.com/products/key-manager |archive-date=2014-01-17 }}</ref> * Bloombase KeyCastle<ref name="bloombase.com">{{Cite web|url=https://www.bloombase.com/products/keycastle|title = Bloombase KeyCastle - Enterprise Key Life-Cycle Management - Bloombase - Intelligent Storage Firewall}}</ref> * [[Cryptomathic|Cryptomathic CKMS]]<ref name="Cryptomathic Key">{{cite web|last1=Landrock|first1=Peter|title=Cryptomathic Key Management System|url=http://www.cryptomathic.com/products/key-management/crypto-key-management-system|website=cryptomathic.com/|publisher=Cryptomathic|access-date=April 20, 2015}}</ref> * [https://doppler.com Doppler SecretOps Platform]<ref>{{Cite web |title=Doppler {{!}} SecretOps Platform |url=https://www.doppler.com/ |access-date=2022-08-26 |website=www.doppler.com |language=en}}</ref> * [https://netlibsecurity.com/enterprise-manager/ Encryptionizer Key Manager (Windows only)] * [https://cloud.google.com/security-key-management Google Cloud Key Management] * IBM Cloud Key Protect <ref>{{cite web | url=https://cloud.ibm.com/docs/services/key-protect?topic=key-protect-about | title=IBM Cloud Docs }}</ref> * Microsoft Azure Key Vault<ref>{{cite web | url=https://azure.microsoft.com/en-us/documentation/articles/key-vault-whatis/ | title=What is Azure Key Vault? | date=18 December 2022 }}</ref> * Porticor Virtual Private Data<ref>{{cite web |url=http://www.porticor.com/porticor-virtual-private-data/ |title=About Virtual Private Data |publisher=Porticor.com |access-date=2013-08-06 |url-status=dead |archive-url=https://web.archive.org/web/20130731062455/http://www.porticor.com/porticor-virtual-private-data |archive-date=2013-07-31 }}</ref> * [[SSH Communications Security]] Universal SSH Key Manager<ref>{{cite web | url=http://www.ssh.com/products/universal-ssh-key-manager | title=UKM Zero Trust SSH Encryption Key Management }}</ref> * [https://cpl.thalesgroup.com/encryption/ciphertrust-manager CipherTrust Manager] * [https://www.akeyless.io/ Akeyless Vault]<ref>{{cite web | url=https://docs.akeyless.io/docs/encryption-key-management-overview | title=Encryption & Key Management Overview }}</ref> ====KMS security policy==== The security policy of a key management system provides the rules that are to be used to protect keys and metadata that the key management system supports. As defined by the National Institute of Standards and Technology [[NIST]], the policy shall establish and specify rules for this information that will protect its:<ref name="Reinholm-KeyManagementCompliance" /> * Confidentiality * Integrity * Availability * Authentication of source<ref name="NIST-KeyManagementSystems">{{cite web|last1=Barker|first1=Elaine|last2=Smid|first2=Miles|last3=Branstad|first3=Dennis|last4=Chokhani|first4=Santosh|title=NIST Special Publication 800 -130: A Framework for Designing Cryptographic Key Management Systems|url=http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-130.pdf|publisher=National Institute of Standards and Technology|access-date=30 May 2016}}</ref> This protection covers the complete key life-cycle from the time the key becomes operational to its elimination.<ref name="Turner-What-is-key-management" /> ====Bring your own encryption / key==== {{main|Bring your own encryption}} ''Bring your own encryption'' (BYOE)—also called ''bring your own key'' (BYOK)—refers to a cloud-computing security model to allow public-cloud customers to use their own encryption software and manage their own encryption keys. This security model is usually considered a marketing stunt, as critical keys are being handed over to third parties (cloud providers) and key owners are still left with the operational burden of generating, rotating and sharing their keys. ===Public-key infrastructure (PKI)=== {{main|Public key infrastructure}} A [[Public key infrastructure|public-key infrastructure]] is a type of key management system that uses hierarchical [[digital certificates]] to provide authentication, and public keys to provide encryption. PKIs are used in World Wide Web traffic, commonly in the form of [[Secure Sockets Layer|SSL]] and [[Transport Layer Security|TLS]]. ===Multicast group key management=== Group key management means managing the keys in a group communication. Most of the group communications use [[multicast]] communication so that if the message is sent once by the sender, it will be received by all the users. The main problem in multicast group communication is its security. In order to improve the security, various keys are given to the users. Using the keys, the users can encrypt their messages and send them secretly. IETF.org released RFC 4046, entitled Multicast Security (MSEC) Group Key Management Architecture, which discusses the challenges of group key management.<ref>{{cite journal|url=https://tools.ietf.org/html/rfc4046 |title=Multicast Security (MSEC) Group Key Management Architecture |newspaper=Ietf Datatracker |date=2005-04-01 |doi=10.17487/RFC4046 |access-date=2017-06-12|last1=Baugher |first1=M. |last2=Canetti |first2=R. |last3=Dondeti |first3=L. |last4=Lindholm |first4=F. |url-access=subscription }}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)