~~NOTOC~~
====== 11. Key Management ======
**Scenarios:** 5 \\
**FFI Functions:** ~40 \\
**Status:** ⏳ Planned
This category encompasses all scenarios for managing cryptographic keys. Generation, rotation, secure storage, and destruction.
----
===== Scenarios =====
^ ID ^ Scenario ^ Description ^ Complexity ^ Status ^
| [[.:generierung|11.1]] | Generate Keys | ML-DSA, ML-KEM, Hybrid | ⭐⭐ | ⏳ |
| [[.:speicherung|11.2]] | Secure Storage | HSM, TPM, Software Vault | ⭐⭐⭐⭐ | ⏳ |
| [[.:rotation|11.3]] | Key Rotation | Planned key renewal | ⭐⭐⭐ | ⏳ |
| [[.:backup|11.4]] | Key Backup | Encrypted backup, recovery | ⭐⭐⭐ | ⏳ |
| [[.:vernichtung|11.5]] | Key Destruction | Secure deletion, zeroization | ⭐⭐⭐ | ⏳ |
----
===== Key Lifecycle =====
flowchart LR
subgraph GEN["🔑 Generation"]
G1[Generate key]
G2[Create backup]
end
subgraph USE["⚙️ Usage"]
U1[Activate]
U2[In use]
end
subgraph END["🗑️ End"]
E1[Deactivate]
E2[Archive]
E3[Destroy]
end
GEN --> USE --> END
style G1 fill:#e8f5e9
style U2 fill:#e3f2fd
style E3 fill:#ffcdd2
----
===== Key Types and Storage =====
^ Key Type ^ Recommended Storage ^ Backup ^ Rotation ^
| **Root CA** | HSM (Offline) | M-of-N Split | Never (20+ years) |
| **Intermediate CA** | HSM (Online) | Encrypted | 5-10 years |
| **Server** | Software/TPM | Optional | 1-2 years |
| **Client** | Smart Card/TPM | No | 1-2 years |
----
===== Storage Options =====
^ Option ^ Security ^ Performance ^ Cost ^ Usage ^
| **HSM** | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ | €€€ | CA, Critical systems |
| **TPM** | ⭐⭐⭐⭐ | ⭐⭐⭐⭐ | € | Servers, Workstations |
| **Software Vault** | ⭐⭐⭐ | ⭐⭐⭐⭐⭐ | €€ | Containers, Cloud |
| **Encrypted File** | ⭐⭐ | ⭐⭐⭐⭐⭐ | - | Development |
----
===== Industry-Specific Requirements =====
^ Industry ^ CA Key ^ End-Entity ^ Compliance ^
| **Energy/SCADA** | HSM (Offline) | TPM | NIS2, KRITIS |
| **Healthcare** | HSM | Smart Card | gematik, GDPR |
| **Automotive** | HSM | Secure Element | UN R155 |
| **Industry 4.0** | HSM | TPM | IEC 62443 |
----
===== Quick Start Code =====
==== Generate Keys ====
using WvdS.Security.Cryptography.Extensions.PQ;
// ML-DSA-65 for signatures
using var signingKey = ctx.GenerateKeyPair(PqAlgorithm.MlDsa65);
// ML-KEM-768 for Key Encapsulation
using var kemKey = ctx.GenerateKeyPair(PqAlgorithm.MlKem768);
// Hybrid key (ECDSA + ML-DSA)
using var hybridKey = ctx.GenerateHybridKeyPair(
classicAlgorithm: EcdsaCurve.P384,
pqAlgorithm: PqAlgorithm.MlDsa65
);
==== Secure Storage ====
// Store key encrypted (Argon2id KDF + AES-256-GCM)
signingKey.SaveEncrypted(
path: "signing.key.pem",
password: securePassword,
kdfOptions: new KdfOptions
{
Algorithm = KdfAlgorithm.Argon2id,
Iterations = 3,
MemoryKiB = 65536, // 64 MB
Parallelism = 4
}
);
// Load
using var loadedKey = ctx.LoadPrivateKey("signing.key.pem", securePassword);
==== Destroy Keys ====
// Secure destruction (zeroization)
signingKey.Dispose(); // Overwrites memory with zeros
// For maximum security: Explicit Zeroize
signingKey.SecureErase(); // Multiple overwrites
signingKey.Dispose();
----
===== Key Ceremony Checklist =====
**Root CA Key Ceremony:**
- [ ] Prepare air-gapped system
- [ ] Witnesses present (minimum 2)
- [ ] Audit logging activated
- [ ] Generate key
- [ ] Create M-of-N backup (e.g., 3-of-5)
- [ ] Distribute backups to different locations
- [ ] Export root certificate
- [ ] Shut down and seal system
- [ ] Sign documentation
----
===== Related Categories =====
^ Category ^ Relationship ^
| [[.:pki:start|1. PKI Infrastructure]] | Manage CA keys |
| [[.:verwaltung:start|4. Certificate Management]] | Re-key on rotation |
| [[.:interop:start|12. Import/Export]] | Export keys |
----
<< [[en:int:pqcrypt:szenarien:tls:start|← 10. TLS/mTLS]] | [[en:int:pqcrypt:szenarien:start|↑ Scenarios]] | [[.:interop:start|12. Import/Export →]] >>
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//
{{tag>category key generation rotation hsm}}