End User Encryption Key Protection Policy
Encryption1.0 KeyPurpose
Effective ifencryption notrelies doneon properly,the secure management of cryptographic keys. Improper handling, storage, or distribution of encryption keys, particularly private keys or symmetric keys, can lead to compromisetheir compromise, negating the security provided by encryption and disclosurepotentially of private keys use to secureexposing sensitive data and hence, compromise of theorganizational data. While users may understand it’sthe importantneed to encryptionencrypt certaindata, documentsspecific and electronic communications, they may not be familiar with minimum standardspractices for protectionprotecting encryptionthe keys.keys
are crucial. This policy outlines the minimum requirements for securely managing and protecting encryption keys that are under the control of end users. These requirements are designedusers to prevent unauthorized disclosure and subsequentor fraudulent use. The protection methods outlined will include operational and technical controls, such as key backup procedures, encryption under a separate key and use of tamper-resistant hardware.
2.0 Scope
This policy applies to anyall encryptionemployees, contractors, consultants, and other personnel ("Users") who generate, possess, manage, or use cryptographic keys listedfor beloworganizational business purposes. It specifically covers the management and toprotection the person responsible for any encryption key listed below. The encryption keys covered by this policy are:of:
encryption* Encryption keys issued by <Companyor Name>
encryptionbehalf of the organization.
* Encryption keys used for <Companyconducting Name>organizational business
*
encryptionEncryption keys used to protect data owned by <Companythe Name>organization.
This
policyTheapplies publicto both symmetric (secret) keys and the private keys of asymmetric (public-key) key pairs. Public keys contained inwithin digital certificates are specificallygenerally exemptedconsidered public information and are exempt from thisthe policy.protection requirements outlined herein (though the integrity of certificates is managed via PKI processes).
3.0 Policy Statements
All encryption keys covered by this policy must be protected todiligently prevent theiragainst unauthorized disclosuredisclosure, andmodification, subsequentloss, fraudulentor use.misuse.
3.1 General Protection Principles
Secret* KeyThe Encryptionlevel Keys
Keysprotection usedapplied forto secretan encryption key encryption, also called symmetric cryptography, must be protectedat least as theystrong areas distributedthe protection required for the data it encrypts.
* Keys must be generated, stored, used, and destroyed using organization-approved methods and tools that adhere to allcryptographic partiesbest thatpractices.
3.2 useSymmetric them.(Secret) DuringKey distribution,Management
* **Distribution:** When symmetric encryption keys must be distributed, the distribution method must be secure. Keys must be encrypted during transit using a strongerstrong, approved asymmetric algorithm (referencing the Acceptable Encryption Policy) or an equally strong symmetric algorithm with a key that meets or exceeds the strength of the longest key lengthbeing for that algorithm authorized in <Company Name>’s Acceptable Encryption Policy.distributed. If thedistributing keys are for the strongest approved algorithm, thentechniques thelike key mustsplitting (encrypting portions with different keys and sending via separate channels) should be split,employed.
* each**Storage:** portion of the key encrypted with a different key that is the longest key length authorized and the each encrypted portion is transmitted using different transmission mechanisms. The goal is to provide more stringent protection to the key than the data that is encrypted with that encryption key.
Symmetric encryption keys, when stored at rest, must be protected withusing securityencryption measuresor access control mechanisms at least as stringent as the measuresthose used for distributiontheir ofsecure that key.distribution.
3.3 Asymmetric (Public Key) Private Key Management
PublicAsymmetric Key Encryption Keys
Public key cryptography, or asymmetric cryptography,cryptography uses public-public/private key pairs. TheWhile the public key is passed toshared, the certificate authority to be included in the digital certificate issued to the end user. The digital certificate is available to everyone once it issued. The private key shouldmust onlyremain beconfidential availableand tosecurely managed by the enduser.
* to**Organization whomPKI Keys (e.g., on Smart Cards):**
* Private keys associated with the corresponding digital certificate is issued.
<Company Name>’organization's Public Key Infrastructure (PKI), Keys
The public-private key pairs used by the <Company Name>’s public key infrastructure (PKI) are generated on the tamper-resistant smart card issued to an individual end user. The private key associated with an end user’s identity certificate, which are onlyoften used for digital signatures,signatures willand neverencryption, leavemay be generated and stored on secure hardware tokens like smart cards issued to users.
* Private keys used *only* for digital signatures (identity certificates) should ideally be non-exportable and remain solely on the smarthardware card.token. ThisEscrow preventsof such signing-only private keys is generally not performed and may be technically infeasible or prohibited.
* Private keys used for *data encryption* **must** be securely backed up and escrowed according to organizational procedures managed by the designated IT authority (e.g., Precision Computer Team fromor escrowingIdentity anyManagement privategroup). keysThis associatedensures withdata identityrecovery certificates.if Thethe privateuser's key associatedis withlost anyor encryptionunavailable. certificates, which are used to encrypt email and other documents, must be escrowed in compliance with
<Company Name> policies.
AccessRefer to the organization's Certificate Practice Statement or related documentation for escrow details.
* Access to private keys stored on aorganization-issued <Companyhardware Name>issuedtokens (e.g., smart cardcards) willmust be protected by a personalstrong identificationPIN numberor (PIN)password known only to the individualuser, compliant with the Password Policy. The device/software must require PIN/password entry for each session or operation involving the private key.
* **Other Software-Generated Keys:**
* If key pairs are generated in software (e.g., by an application or browser) and stored as files, the user is responsible for their protection.
* The private key file must be protected with a strong password or passphrase compliant with the Password Policy.
* Users **must** create at least one secure backup of software-based private keys used for encryption.
* Users **must** provide a copy of any software-based private key used for *data encryption* to whomthe designated organizational authority (e.g., local Information Security representative, IT Help Desk) for secure escrow, following established procedures.
* Backup and escrow copies must be protected with strong passwords/passphrases compliant with the smartPassword cardPolicy. isStorage issued.of Theescrowed smartkeys cardby the organization will adhere to requirements in the Certificate Practice Statement or equivalent documentation.
* **Commercial / External PKI Keys:**
* When interacting with external partners requires using keys from commercial CAs (e.g., VeriSign/DigiCert, Thawte) or partner PKIs, these keys are often generated and stored within software will(e.g., a web browser's certificate store).
* Users must protect access to these software-based key stores with a strong password. Browser or application settings should be configured to require enteringthis password upon accessing the PINprivate priorkey. toUsers anyremain privateresponsible for securely backing up these keys if used for critical data encryption or access. Escrow requirements may apply if used for encrypting organizational data.
* **PGP Keys:**
* PGP key contained on the smart card being accessed.
Other Public Key Encryption Keys
Other types of keyspairs may be generatedstored in softwarekey on the end user’s computer and can be stored asring files on thea hard drive or preferably on a hardware token.token If(e.g., thesecure public-privateUSB keydrive, pairsmart iscard).
generated on* smartcard, the requirements for protecting the private keys are the same as those for private keys associated with <Company Name’s> PKI. If the keys are generated in software, the end user is required to create at least one backup of these keys and store any backup copies securely. The user is also required to create an escrow copy of any private keys used for encrypting data and deliver the escrow copyAccess to the local Information Security representative for secure storage.
The Precision Computer Team shall not escrow anyPGP private keyskey(s) associated with identity certificates. All backups, including escrow copies, shallmust be protected withby a password orstrong passphrase that is compliant with <Company Name>the Password Policy.
Precision* Computer representatives will store and protect the escrowed keys as described in the <Company Name> Certificate Practice Statement Policy.
Commercial or Outside Organization Public Key Infrastructure (PKI) Keys
In working with business partners, the relationship may require the end users to use public-private key pairs that are generated inPGP software on the end user’s computer. In these cases, the public-private key pairs are stored in files on the hard drive of the end user. The private keys are only protected by the strength of the password or passphrase chosen by the end user. For example, when an end user requests a digital certificate from a commercial PKI, such as VeriSign or Thawte, the end user’s web browser will generate the key pair and submit the public key as part of the certificate request to the CA. The private key remains in the browser’s certificate store where the only protection is the password on the browser’s certificate store. A web browser storing private keys willshould be configured to require thepassphrase user to enter the certificate store password anytime a private key is accessed.
PGP Key Pairs
If the business partner requires the use of PGP, the public-private key pairs can be stored in the user’s key ring files on the computer hard drive or on a hardware token,entry for example, a USB drive or a smart card. Since the protection of the private keys is the passphrase on the secret keying, it is preferable that the public-private keys are stored on a hardware token. PGP will be configured to require entering the passphrase for everyeach use of the private keys in the secret key ring.key.
3.4
Hardware Token StorageSecurity
* Hardware tokens (smart cards, USB tokens, etc.) storing encryption keys willare considered sensitive organizational assets.
* They must be treatedphysically assecured sensitiveaccording companyto equipment,the as described in <Company Name>’organization's Physical Security policy, especially when outside companyorganizational offices.premises.
* InTokens addition, all hardware tokens, smartcards, USB tokens, etc., willmust not be storedleft unattended or left connected to any end user’s computercomputers when not actively in use.
* ForWhen endtraveling, userstokens travelingshould withideally hardwarebe tokens,carried separately from the computer they willare notused be stored or carried in the same container or bag as any computer.with.
3.5 Authentication (PINs, Passwords, Passphrases)
Personal* Identification Numbers (PINs), Passwords and Passphrases
All PINs, passwordspasswords, or passphrases used to protect encryption keys or access to hardware tokens must meet complexitythe complexity, length, and lengthmanagement requirements describeddefined in <Companythe Name>’organization's Password Policy.
3.6 Loss, Theft, or Compromise Reporting
Loss* and Theft
The loss, theft, or potentialsuspected compromise (unauthorized disclosure or access) of any encryption key covered by this policypolicy, or any hardware token containing such keys, **must be reported immediatelyimmediately** to Thethe designated IT authority (e.g., Precision Computer Team.Team or PrecisionIT ComputerHelp Desk).
* IT personnel will directguide the end user inthrough anynecessary actionsactions, thatincluding will be required regardingkey/certificate revocation ofand certificatesreplacement or public-private key pairs.procedures.
4.0 Compliance
4.1 Compliance Measurement
The designated IT authority (e.g., Precision Computer teamteam, Information Security, Internal Audit) will verify compliance towith this policy through various methods, including butaudits notof limitedkey to,management periodicpractices, walk-thrus,review videoof monitoring,PKI businessconfigurations, toolchecks reports,on internalescrow procedures, user awareness assessments, and externalinvestigation audits,of andreported feedback to the policy owner. incidents.
4.2 Exceptions
Any exception to thethis policy mustrequires beformal, approveddocumented byjustification, risk assessment, and advance approval from the designated IT authority (e.g., Precision Computer Team inor advance.Information Security).
An4.3 employeeEnforcement
Failure to havecomply violatedwith this policypolicy, particularly regarding key protection, escrow, or incident reporting, may beresult subject toin disciplinary action, up to and including termination of employment.employment or contract. It may also lead to revocation of access privileges or certificates.
5.0 Definitions
* **Certificate Authority (CA):** An entity trusted to issue, manage, and revoke digital certificates.
* **Digital Certificate:** An electronic document binding a public key to an identity (user, device, service), signed by a CA.
* **Digital Signature:** A cryptographic mechanism using a private key to sign data, allowing verification of origin and integrity using the corresponding public key.
* **Hardware Token:** A physical device (e.g., smart card, USB key) used to store cryptographic keys securely and potentially perform cryptographic operations.
* **Key Escrow:** The practice of securely storing a copy of a cryptographic key (typically a private encryption key) with a trusted third party or organizational authority to allow for data recovery.
* **PGP (Pretty Good Privacy):** A popular encryption program providing cryptographic privacy and authentication, often used for email and file encryption.
* **PIN (Personal Identification Number):** A short numeric or alphanumeric code used for authentication, often to access a hardware token.
* **Private Key:** The secret component of an asymmetric key pair.
* **Public Key:** The publicly shared component of an asymmetric key pair.
* **Public Key Cryptography (Asymmetric Cryptography):** A cryptographic system using pairs of keys (public and private).
* **Symmetric Cryptography (Secret Key Cryptography):** A cryptographic system using the same key for encryption and decryption.
* Acceptable Encryption Policy
*
Certificate Practice Statement Policy
equivalent PKI documentation)
* Password Policy
*
Physical Security policyPolicy
* Data Classification Policy
* Information Handling Policy
The following definition and terms can be found in the SANS Glossary located at:
https://www.sans.org/security-resources/glossary-of-terms/
Digital certificate
Digital signature
Key escrow
Plaintext
Public key cryptography
Public key pairs
Symmetric cryptography