====== Key Management ======

Compact examples for key management. -> **Details:** [[en:int:pqcrypt:szenarien:schluessel:start|Key Scenarios]]

----

===== Generate Keys =====

<code csharp>
// ML-DSA (Signatures)
using var mlDsa65 = MlDsaSigner.Create(MlDsaParameterSet.MlDsa65);
using var mlDsa87 = MlDsaSigner.Create(MlDsaParameterSet.MlDsa87);

// ML-KEM (Key Exchange)
using var mlKem768 = MlKem.Create(MlKemParameterSet.MlKem768);
using var mlKem1024 = MlKem.Create(MlKemParameterSet.MlKem1024);

// Classical (Hybrid)
using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP384);
using var rsa = RSA.Create(4096);
</code>

-> **Details:** [[en:int:pqcrypt:szenarien:schluessel:generierung|Generation]]

----

===== Store Keys =====

<code csharp>
// DPAPI (Windows)
byte[] privateKey = mlDsa.ExportPrivateKey();
byte[] encrypted = ProtectedData.Protect(privateKey,
    entropy: null, DataProtectionScope.CurrentUser);

// PEM with password
string pem = mlDsa.ExportEncryptedPkcs8PrivateKeyPem(
    "password"u8, new PbeParameters(
        PbeEncryptionAlgorithm.Aes256Cbc,
        HashAlgorithmName.SHA256, 100000));
</code>

-> **Details:** [[en:int:pqcrypt:szenarien:schluessel:speicherung|Storage]]

----

===== Rotate Keys =====

<code csharp>
var rotationService = new KeyRotationService(options =>
{
    options.RotationInterval = TimeSpan.FromDays(90);
    options.MaxKeyAge = TimeSpan.FromDays(365);
});

// Check if rotation needed
if (rotationService.ShouldRotate(currentKey))
{
    var newKey = MlDsaSigner.Create(MlDsaParameterSet.MlDsa65);
    rotationService.Rotate(currentKey, newKey);
}
</code>

-> **Details:** [[en:int:pqcrypt:szenarien:schluessel:rotation|Rotation]]

----

===== Key Backup =====

<code csharp>
// Shamir Secret Sharing (3-of-5)
var shares = ShamirSecretSharing.Split(
    privateKey, totalShares: 5, threshold: 3);

// Distribute to trustees
foreach (var (index, share) in shares)
    SaveToTrustee(index, share);

// Recover
var recoveredShares = new[] { shares[0], shares[2], shares[4] };
byte[] recovered = ShamirSecretSharing.Combine(recoveredShares);
</code>

-> **Details:** [[en:int:pqcrypt:szenarien:schluessel:backup|Backup]]

----

===== Destroy Keys =====

<code csharp>
// Secure deletion
CryptographicOperations.ZeroMemory(privateKeyBytes);

// Revoke certificate
var crlBuilder = new CertificateRevocationListBuilder();
crlBuilder.AddEntry(cert.SerialNumber,
    DateTimeOffset.UtcNow, X509RevocationReason.KeyCompromise);
</code>

-> **Details:** [[en:int:pqcrypt:szenarien:schluessel:vernichtung|Destruction]]

----

===== Recommendations =====

^  Key Type  ^  Algorithm  ^  Validity  ^
| Root CA | ML-DSA-87 | 20+ years |
| Intermediate CA | ML-DSA-65 | 5-10 years |
| End-Entity | ML-DSA-65 / Hybrid | 1-2 years |
| Ephemeral | ML-KEM-768 | Session |

----

<< [[.:start|<- Quick Reference]] | [[en:int:pqcrypt:szenarien:schluessel:start|-> Key Scenarios (Details)]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>quickreference keys generation rotation backup}}