Encryption Key Lifecycle Template
A template for managing the creation, distribution, rotation, and destruction of encryption keys across applications and services.
Note: This guide follows English-language naming conventions and terminology standards common in international development teams. Examples use English identifiers and comments to maximize compatibility across codebases and tooling.
Overview
Encryption key lifecycle management defines how keys are created, stored, used, rotated, and retired. Poor key management can undermine encryption entirely by exposing keys, keeping them too long, or failing to revoke them when no longer needed. This template provides policies, procedures, and roles for managing symmetric and asymmetric keys across applications, databases, backups, and cloud services.
When to Use
- Designing a key management strategy for a new application or platform.
- Selecting or configuring a key management service (KMS) or hardware security module (HSM).
- Establishing a key rotation policy for compliance or risk reduction.
- Responding to a key compromise or suspected unauthorized key access.
- Offboarding a system or retiring a service that holds encrypted data.
Prerequisites
- A key management service such as AWS KMS, Azure Key Vault, Google Cloud KMS, HashiCorp Vault, or an HSM.
- A classification of data that requires encryption at rest, in transit, or in use.
- A list of systems and services that generate or use encryption keys.
- Defined roles for key custodians, users, and auditors.
Solution
Template
1. Key Classification
| Key Type | Purpose | Example | Protection Level |
|---|---|---|---|
| Data encryption key (DEK) | Encrypts data at rest | AES-256 database key | High |
| Key encryption key (KEK) | Encrypts DEKs | RSA key in KMS | Critical |
| Transport key | Encrypts data in transit | TLS private key | High |
| Signing key | Signs code or artifacts | ECDSA code signing key | Critical |
| API key | Authenticates API calls | HMAC secret | Medium |
| Backup key | Encrypts backups | AES-256 backup key | High |
2. Key Lifecycle Stages
| Stage | Activities | Owner | Artifacts |
|---|---|---|---|
| Generation | Create key with approved algorithm and length | Platform team | Key metadata, algorithm |
| Distribution | Securely deliver key to authorized systems | Security team | Access log, key alias |
| Storage | Store in KMS, HSM, or vault | Platform team | Key location, policy |
| Usage | Enforce least-privilege and audit all operations | Application team | Access policy, audit logs |
| Rotation | Replace key periodically or after incident | Security team | Rotation schedule, new key |
| Compromise | Revoke, rotate, and assess impact | Security team | Incident report, new key |
| Destruction | Securely delete key when no longer needed | Platform team | Destruction certificate |
| Archive | Retain key metadata for compliance without key material | Compliance team | Retention record |
3. Key Rotation Policy
| Key Type | Rotation Frequency | Trigger | Automatic |
|---|---|---|---|
| KEK / KMS key | 2 years | Scheduled | Yes |
| TLS certificate key | 1 year | Certificate expiry | Yes |
| Database DEK | 1 year | Scheduled | No, planned maintenance |
| Signing key | 1 year | Scheduled or suspected compromise | Semi-automatic |
| API HMAC secret | 90 days | Scheduled or credential leak | Yes |
| Backup key | 1 year | Scheduled | No |
4. Access Control Matrix
| Role | Generate | Use | Rotate | Destroy | Audit |
|---|---|---|---|---|---|
| Application service | No | Yes | No | No | No |
| Platform engineer | Yes | No | Yes | No | Yes |
| Security engineer | No | No | Yes | No | Yes |
| Key custodian | Yes | No | Yes | No | Yes |
| Auditor | No | No | No | No | Yes |
| Compliance officer | No | No | No | Yes with approval | Yes |
5. Compromise Response Procedure
| Step | Action | Owner | Timeline |
|---|---|---|---|
| 1 | Revoke or disable the compromised key | Security team | Within 1 hour |
| 2 | Identify all systems and data protected by the key | Security team | Within 4 hours |
| 3 | Rotate to a new key and re-encrypt data | Platform team | Within 24 hours |
| 4 | Notify stakeholders and customers if required | Incident commander | Within 24 hours |
| 5 | Preserve audit logs and evidence | Security team | Immediate |
| 6 | Update incident report and lessons learned | Security team | Within 1 week |
6. Destruction Checklist
- Key is no longer used by any application or service.
- Encrypted data has been decrypted with the new key or securely deleted.
- All backups and replicas containing the key are identified.
- Key material is deleted from KMS, HSM, or vault.
- Destruction is logged and signed by key custodian and compliance officer.
- Retention period for metadata is documented and enforced.
Explanation
Encryption is only as strong as the keys that protect it. The lifecycle template ensures that keys are generated with strong algorithms, stored in approved services, accessed with least privilege, rotated regularly, and destroyed securely when no longer needed. Separating duties between key custodians, users, and auditors prevents any single person from controlling the entire lifecycle.
Variants
- Cloud KMS key lifecycle: Uses AWS KMS, Azure Key Vault, or Google Cloud KMS with automatic rotation and IAM policies.
- HSM-backed key lifecycle: Adds physical or cloud HSM protection for high-assurance keys.
- Application-level key lifecycle: Focuses on keys generated and managed within a single application or service.
- Database encryption key lifecycle: Covers transparent data encryption (TDE) and column-level keys.
- Backup encryption key lifecycle: Ensures long-term keys can be recovered for archive retention while remaining secure.
Best Practices
- Use a centralized KMS or HSM instead of storing keys in application code.
- Separate key encryption keys from data encryption keys.
- Rotate keys automatically when the service supports it.
- Log every key usage and administrative action.
- Limit key export to non-extractable keys unless required.
- Test rotation and destruction procedures before an incident.
- Maintain an inventory of all keys, owners, and rotation dates.
- Require multi-person approval for high-impact actions like destruction.
Common Mistakes
- Hardcoding keys in source code or configuration files.
- Never rotating keys despite compliance requirements.
- Sharing keys across multiple applications or environments.
- Allowing key export without approval or audit.
- Not backing up key metadata or KEKs before destruction.
- Ignoring compromised key response procedures.
- Storing old keys indefinitely after rotation.
FAQs
What is the difference between a DEK and a KEK?
A data encryption key (DEK) encrypts the actual data. A key encryption key (KEK) encrypts the DEK, allowing the DEK to be stored safely while the KEK remains in a secure KMS or HSM.
Should we rotate keys even if there is no compromise?
Yes. Scheduled rotation limits the exposure window if a key is compromised without detection and satisfies many compliance requirements.
How do we rotate a key that protects a large database?
Use a two-key rotation: add the new key, re-encrypt data gradually or lazily, then retire the old key when all data is protected by the new key.