11. Key Management

Scenarios: 5
FFI Functions: ~40
Status: ⏳ Planned

This category encompasses all scenarios for managing cryptographic keys. Generation, rotation, secure storage, and destruction.

Scenarios

ID	Scenario	Description	Complexity	Status
11.1	Generate Keys	ML-DSA, ML-KEM, Hybrid	⭐⭐	⏳
11.2	Secure Storage	HSM, TPM, Software Vault	⭐⭐⭐⭐	⏳
11.3	Key Rotation	Planned key renewal	⭐⭐⭐	⏳
11.4	Key Backup	Encrypted backup, recovery	⭐⭐⭐	⏳
11.5	Key Destruction	Secure deletion, zeroization	⭐⭐⭐	⏳

Key Lifecycle

flowchart LR subgraph GEN["🔑 Generation"] G1[Generate key] G2[Create backup] end subgraph USE["⚙️ Usage"] U1[Activate] U2[In use] end subgraph END["🗑️ End"] E1[Deactivate] E2[Archive] E3[Destroy] end GEN --> USE --> END style G1 fill:#e8f5e9 style U2 fill:#e3f2fd style E3 fill:#ffcdd2

Key Types and Storage

Key Type	Recommended Storage	Backup	Rotation
Root CA	HSM (Offline)	M-of-N Split	Never (20+ years)
Intermediate CA	HSM (Online)	Encrypted	5-10 years
Server	Software/TPM	Optional	1-2 years
Client	Smart Card/TPM	No	1-2 years

Storage Options

Option	Security	Performance	Cost	Usage
HSM	⭐⭐⭐⭐⭐	⭐⭐⭐	€€€	CA, Critical systems
TPM	⭐⭐⭐⭐	⭐⭐⭐⭐	€	Servers, Workstations
Software Vault	⭐⭐⭐	⭐⭐⭐⭐⭐	€€	Containers, Cloud
Encrypted File	⭐⭐	⭐⭐⭐⭐⭐	-	Development

Industry-Specific Requirements

Industry	CA Key	End-Entity	Compliance
Energy/SCADA	HSM (Offline)	TPM	NIS2, KRITIS
Healthcare	HSM	Smart Card	gematik, GDPR
Automotive	HSM	Secure Element	UN R155
Industry 4.0	HSM	TPM	IEC 62443

Quick Start Code

Generate Keys

using WvdS.Security.Cryptography.Extensions.PQ;
 
// ML-DSA-65 for signatures
using var signingKey = ctx.GenerateKeyPair(PqAlgorithm.MlDsa65);
 
// ML-KEM-768 for Key Encapsulation
using var kemKey = ctx.GenerateKeyPair(PqAlgorithm.MlKem768);
 
// Hybrid key (ECDSA + ML-DSA)
using var hybridKey = ctx.GenerateHybridKeyPair(
    classicAlgorithm: EcdsaCurve.P384,
    pqAlgorithm: PqAlgorithm.MlDsa65
);

Secure Storage

// Store key encrypted (Argon2id KDF + AES-256-GCM)
signingKey.SaveEncrypted(
    path: "signing.key.pem",
    password: securePassword,
    kdfOptions: new KdfOptions
    {
        Algorithm = KdfAlgorithm.Argon2id,
        Iterations = 3,
        MemoryKiB = 65536,  // 64 MB
        Parallelism = 4
    }
);
 
// Load
using var loadedKey = ctx.LoadPrivateKey("signing.key.pem", securePassword);

Destroy Keys

// Secure destruction (zeroization)
signingKey.Dispose();  // Overwrites memory with zeros
 
// For maximum security: Explicit Zeroize
signingKey.SecureErase();  // Multiple overwrites
signingKey.Dispose();

Key Ceremony Checklist

Root CA Key Ceremony:

[ ] Prepare air-gapped system
[ ] Witnesses present (minimum 2)
[ ] Audit logging activated
[ ] Generate key
[ ] Create M-of-N backup (e.g., 3-of-5)
[ ] Distribute backups to different locations
[ ] Export root certificate
[ ] Shut down and seal system
[ ] Sign documentation

Related Categories

Category	Relationship
1. PKI Infrastructure	Manage CA keys
4. Certificate Management	Re-key on rotation
12. Import/Export	Export keys

« ← 10. TLS/mTLS | ↑ Scenarios | 12. Import/Export → »

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional

category, key, generation, rotation, hsm