Key Management encompasses the policies, procedures, and technology for handling cryptographic keys throughout their lifecycle. This includes key generation using secure random number generators, distribution through secure channels, storage in protected hardware or key vaults, rotation on defined schedules, and destruction when no longer needed.
Poor key management undermines strong encryption. A perfectly implemented AES-256 system is worthless if keys are stored in plaintext or shared via email. Enterprise key management systems centralize control, enforce policies, and provide audit trails for compliance.
CISSP Relevance
Domain 3 (Security Architecture and Engineering) covers key management as essential to cryptographic systems. Understand key lifecycle stages, secure generation requirements, distribution methods, storage protection (HSMs, key vaults), rotation policies, and secure destruction. Know that key management is often harder than the cryptography itself.
Comprehensive guidance is in NIST SP 800-57 Part 1.
Related terms: Encryption, PKI