11. Key Management
Scenarios: 5
FFI Functions: ~40
Status: ⏳ Planned
This category encompasses all scenarios for managing cryptographic keys. Generation, rotation, secure storage, and destruction.
Scenarios
| ID | Scenario | Description | Complexity | Status |
|---|---|---|---|---|
| 11.1 | Generate Keys | ML-DSA, ML-KEM, Hybrid | ⭐⭐ | ⏳ |
| 11.2 | Secure Storage | HSM, TPM, Software Vault | ⭐⭐⭐⭐ | ⏳ |
| 11.3 | Key Rotation | Planned key renewal | ⭐⭐⭐ | ⏳ |
| 11.4 | Key Backup | Encrypted backup, recovery | ⭐⭐⭐ | ⏳ |
| 11.5 | Key Destruction | Secure deletion, zeroization | ⭐⭐⭐ | ⏳ |
Key Lifecycle
flowchart LR
subgraph GEN["🔑 Generation"]
G1[Generate key]
G2[Create backup]
end
subgraph USE["⚙️ Usage"]
U1[Activate]
U2[In use]
end
subgraph END["🗑️ End"]
E1[Deactivate]
E2[Archive]
E3[Destroy]
end
GEN --> USE --> END
style G1 fill:#e8f5e9
style U2 fill:#e3f2fd
style E3 fill:#ffcdd2
Key Types and Storage
| Key Type | Recommended Storage | Backup | Rotation |
|---|---|---|---|
| Root CA | HSM (Offline) | M-of-N Split | Never (20+ years) |
| Intermediate CA | HSM (Online) | Encrypted | 5-10 years |
| Server | Software/TPM | Optional | 1-2 years |
| Client | Smart Card/TPM | No | 1-2 years |
Storage Options
| Option | Security | Performance | Cost | Usage |
|---|---|---|---|---|
| HSM | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ | €€€ | CA, Critical systems |
| TPM | ⭐⭐⭐⭐ | ⭐⭐⭐⭐ | € | Servers, Workstations |
| Software Vault | ⭐⭐⭐ | ⭐⭐⭐⭐⭐ | €€ | Containers, Cloud |
| Encrypted File | ⭐⭐ | ⭐⭐⭐⭐⭐ | - | Development |
Industry-Specific Requirements
| Industry | CA Key | End-Entity | Compliance |
|---|---|---|---|
| Energy/SCADA | HSM (Offline) | TPM | NIS2, KRITIS |
| Healthcare | HSM | Smart Card | gematik, GDPR |
| Automotive | HSM | Secure Element | UN R155 |
| Industry 4.0 | HSM | TPM | IEC 62443 |
Quick Start Code
Generate Keys
using WvdS.Security.Cryptography.Extensions.PQ; // ML-DSA-65 for signatures using var signingKey = ctx.GenerateKeyPair(PqAlgorithm.MlDsa65); // ML-KEM-768 for Key Encapsulation using var kemKey = ctx.GenerateKeyPair(PqAlgorithm.MlKem768); // Hybrid key (ECDSA + ML-DSA) using var hybridKey = ctx.GenerateHybridKeyPair( classicAlgorithm: EcdsaCurve.P384, pqAlgorithm: PqAlgorithm.MlDsa65 );
Secure Storage
// Store key encrypted (Argon2id KDF + AES-256-GCM) signingKey.SaveEncrypted( path: "signing.key.pem", password: securePassword, kdfOptions: new KdfOptions { Algorithm = KdfAlgorithm.Argon2id, Iterations = 3, MemoryKiB = 65536, // 64 MB Parallelism = 4 } ); // Load using var loadedKey = ctx.LoadPrivateKey("signing.key.pem", securePassword);
Destroy Keys
// Secure destruction (zeroization) signingKey.Dispose(); // Overwrites memory with zeros // For maximum security: Explicit Zeroize signingKey.SecureErase(); // Multiple overwrites signingKey.Dispose();
Key Ceremony Checklist
Root CA Key Ceremony:
- [ ] Prepare air-gapped system
- [ ] Witnesses present (minimum 2)
- [ ] Audit logging activated
- [ ] Generate key
- [ ] Create M-of-N backup (e.g., 3-of-5)
- [ ] Distribute backups to different locations
- [ ] Export root certificate
- [ ] Shut down and seal system
- [ ] Sign documentation
Related Categories
| Category | Relationship |
|---|---|
| 1. PKI Infrastructure | Manage CA keys |
| 4. Certificate Management | Re-key on rotation |
| 12. Import/Export | Export keys |
« ← 10. TLS/mTLS | ↑ Scenarios | 12. Import/Export → »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: on 2026/01/30 at 06:40 AM
