Key Management Best Practices

Introduction to Key Management

Creating strong encryption keys is only the beginning of your security journey. Proper management of those keys throughout their lifecycle is equally critical. Without good key management practices, even the strongest cryptographic keys can become security liabilities.

In this module, we'll explore best practices for managing your encryption keys from creation to retirement, with a focus on:

• Key storage strategies for different security levels
• Setting appropriate key expiration dates
• Key renewal and rotation processes
• Backup procedures that balance security and availability
• Key revocation when necessary

Key Storage Strategies

Where and how you store your keys has a profound impact on their security. Different keys may require different storage approaches based on their importance and frequency of use.

Tiered Storage Model

A tiered approach to key storage allows you to balance security and convenience:

• Tier 1: Air-gapped storage - For master keys and critical backup keys
  • Stored on devices never connected to the internet
  • Often encrypted and stored on removable media
  • Physical security measures like safes or secure locations
• Tier 2: Hardware security devices - For frequently used subkeys
  • YubiKeys, smart cards, or hardware security modules (HSMs)
  • Physical possession + PIN protection
  • Tamper-resistant design
• Tier 3: Encrypted local storage - For less critical keys or temporary use
  • Encrypted key storage on your primary devices
  • Protected by strong passphrases
  • Regularly updated device security

Key Storage with Secure Mail Client

Secure Mail Client provides several secure key storage options:

• YubiKey/SmartCard integration: Store keys on hardware security devices
• Encrypted keyring: Keys stored in an encrypted format on disk
• Memory-only mode: For high-security environments, keys can be loaded only for the current session

To configure key storage in Secure Mail Client:

1. Navigate to Settings > Security > Key Storage
2. Select your preferred storage method
3. Configure additional protections like auto-locking and passphrase requirements

Key Expiration Policies

All cryptographic keys should have an expiration date. This is a security best practice that:

• Forces regular key review and rotation
• Limits the damage from undetected key compromise
• Provides natural opportunities to upgrade to stronger cryptographic algorithms
• Helps manage the web of trust by removing outdated keys

Recommended Expiration Timeframes

Different types of keys should have different expiration periods based on their use and exposure:

• Master signing keys: 2-3 years
• Encryption subkeys: 1-2 years
• Signing subkeys: 1 year
• Authentication subkeys: 1 year

These timeframes balance security with the overhead of key rotation. For high-security environments, shorter expiration periods may be appropriate.

Setting and Updating Expiration Dates

With GPG, you can set expiration dates when creating keys or update them later:

To check current expiration dates:

      
        
gpg --list-keys --with-colons [email protected] | grep "^pub\|^sub"

      
    

To update expiration dates on existing keys:

      
        
gpg --edit-key [email protected]
      # In the GPG prompt
      key 1    # Select the subkey to modify (0 for primary key)
      expire   # Change expiration
      save     # Save changes

      
    

Key Rotation Strategies

Key rotation is the practice of replacing older keys with new ones on a regular schedule, even without any known compromise. This is a proactive security measure that should be part of your standard operating procedure.

Why Rotate Keys?

• Limit exposure window: Reduces the time an attacker has to compromise keys
• Upgrade crypto parameters: Opportunity to move to stronger algorithms or key sizes
• Mitigate unknown compromises: Addresses potential undiscovered breaches
• Streamline transitions: Regular rotation creates a smooth process for inevitable key changes

Rotation Process for PGP Keys

1. Generate new subkeys (while retaining your master key)
2. Update public key information on key servers and direct to contacts
3. Implement a transition period where both old and new keys are valid
4. Securely archive old keys for accessing previously encrypted data
5. Phase out old keys after the transition period

For master key rotation (less frequent), the process is more involved:

1. Create an entirely new key set with new master key and subkeys
2. Cross-sign old and new keys to establish trust relationships
3. Publish new keys and update all relevant platforms and contacts
4. Transition communications to new keys while maintaining ability to decrypt with old keys
5. Eventually revoke old master key after sufficient transition time

Key Backup Best Practices

Losing access to your encryption keys can be catastrophic - you may permanently lose access to encrypted data. Proper backups are essential, but must be implemented securely.

What to Back Up

• Master keys: Essential for maintaining your identity and creating new subkeys
• Subkeys: Needed to decrypt historical data encrypted to those keys
• Revocation certificates: Allow you to revoke keys if they're compromised
• Configuration information: Settings, trust database, etc.

Secure Backup Methods

The most secure backup strategy combines multiple methods:

1. Encrypted digital backups:
   • Export keys in encrypted format using a strong passphrase
   • Store on multiple physical media (USB drives, SD cards)
   • Store in diverse physical locations to prevent loss from disasters
2. Paper backups for master keys:
   • Use tools like Paperkey to create printable versions of your keys
   • Store in waterproof and fireproof containers
   • Consider splitting key material across multiple physical locations
3. Secure digital vaults:
   • Encrypted containers using tools like VeraCrypt
   • Password managers with secure attachment features
   • Only for redundancy, not primary storage

Testing Your Backups

A backup is only valuable if it works when needed. Regularly test your key backup and restoration process:

1. Set a calendar reminder to test backups quarterly
2. Attempt to restore from each backup location to a test environment
3. Verify that restored keys work for encryption and decryption
4. Document the restoration process clearly for emergency situations

Key Revocation Procedures

Despite best practices, keys sometimes need to be revoked before their expiration date. This might happen due to:

• Suspected or confirmed compromise
• Loss of access to the private key
• Change in personal or organizational circumstances
• Upgrade to stronger cryptographic algorithms

Creating Revocation Certificates in Advance

Always generate revocation certificates immediately after creating new keys:

      
        
gpg --gen-revoke --output=revocation-certificate.asc [email protected]

      
    

Store these certificates securely but separately from your primary keys. If your keys are compromised, you may also lose access to any revocation certificates stored in the same location.

Revocation Process

When you need to revoke a key:

1. Import the revocation certificate: gpg --import revocation-certificate.asc
2. Upload to key servers: gpg --keyserver keyserver.ubuntu.com --send-keys KEY_ID
3. Notify contacts directly through secure channels
4. Generate new keys if needed for continued communications
5. Update your email signature, websites, and profiles with new key information

Organizational Key Management

For teams and organizations, key management requires additional policies and procedures:

• Centralized key management systems with appropriate access controls
• Key custodian roles with clear responsibilities
• Separation of duties to prevent single points of failure
• Regular key audits to verify compliance with policies
• Documented key hierarchies indicating which keys are authorized for different purposes
• Succession planning for access to critical keys when key holders are unavailable

Even for personal use, taking an "organizational approach" to your key management can help ensure you maintain proper security practices.

Key Management Checklist

Use this checklist to ensure your key management practices are comprehensive:

• ☐ All keys have appropriate expiration dates set
• ☐ Master keys are stored securely offline (air-gapped)
• ☐ Multiple secure backups exist in different physical locations
• ☐ Revocation certificates have been generated and stored securely
• ☐ Key rotation schedule is documented and calendarized
• ☐ All keys are protected by strong passphrases or PINs
• ☐ Regular backup testing is scheduled
• ☐ Emergency access procedures are documented (for your trusted contacts)
• ☐ Hardware security devices are used for everyday key operations
• ☐ Keys on internet-connected devices are stored in encrypted form

Conclusion

Effective key management is not a one-time task but an ongoing process throughout the lifecycle of your cryptographic keys. By implementing the practices covered in this module, you'll significantly reduce the risk of key compromise while ensuring you maintain access to your encrypted data.

Remember that key management is about balancing security, availability, and usability. The right balance depends on your specific threat model and needs, but the principles outlined here provide a solid foundation for most users.

In the next module, we'll explore how to integrate these security practices into your daily workflows to maintain security without sacrificing productivity.