Key Management

Compact examples for key management. → Details: Key Scenarios

Generate Keys

// ML-DSA (Signatures)
using var mlDsa65 = MlDsaSigner.Create(MlDsaParameterSet.MlDsa65);
using var mlDsa87 = MlDsaSigner.Create(MlDsaParameterSet.MlDsa87);
 
// ML-KEM (Key Exchange)
using var mlKem768 = MlKem.Create(MlKemParameterSet.MlKem768);
using var mlKem1024 = MlKem.Create(MlKemParameterSet.MlKem1024);
 
// Classical (Hybrid)
using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP384);
using var rsa = RSA.Create(4096);

→ Details: Generation

Store Keys

// DPAPI (Windows)
byte[] privateKey = mlDsa.ExportPrivateKey();
byte[] encrypted = ProtectedData.Protect(privateKey,
    entropy: null, DataProtectionScope.CurrentUser);
 
// PEM with password
string pem = mlDsa.ExportEncryptedPkcs8PrivateKeyPem(
    "password"u8, new PbeParameters(
        PbeEncryptionAlgorithm.Aes256Cbc,
        HashAlgorithmName.SHA256, 100000));

→ Details: Storage

Rotate Keys

var rotationService = new KeyRotationService(options =>
{
    options.RotationInterval = TimeSpan.FromDays(90);
    options.MaxKeyAge = TimeSpan.FromDays(365);
});
 
// Check if rotation needed
if (rotationService.ShouldRotate(currentKey))
{
    var newKey = MlDsaSigner.Create(MlDsaParameterSet.MlDsa65);
    rotationService.Rotate(currentKey, newKey);
}

→ Details: Rotation

Key Backup

// Shamir Secret Sharing (3-of-5)
var shares = ShamirSecretSharing.Split(
    privateKey, totalShares: 5, threshold: 3);
 
// Distribute to trustees
foreach (var (index, share) in shares)
    SaveToTrustee(index, share);
 
// Recover
var recoveredShares = new[] { shares[0], shares[2], shares[4] };
byte[] recovered = ShamirSecretSharing.Combine(recoveredShares);

→ Details: Backup

Destroy Keys

// Secure deletion
CryptographicOperations.ZeroMemory(privateKeyBytes);
 
// Revoke certificate
var crlBuilder = new CertificateRevocationListBuilder();
crlBuilder.AddEntry(cert.SerialNumber,
    DateTimeOffset.UtcNow, X509RevocationReason.KeyCompromise);

→ Details: Destruction

Recommendations

Key Type	Algorithm	Validity
Root CA	ML-DSA-87	20+ years
Intermediate CA	ML-DSA-65	5-10 years
End-Entity	ML-DSA-65 / Hybrid	1-2 years
Ephemeral	ML-KEM-768	Session

« <- Quick Reference | -> Key Scenarios (Details) »

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional

quickreference, keys, generation, rotation, backup