Glossary

Companies safeguard their sensitive data through encryption at rest and in transit, since leaking protected information can cause significant financial, legal, and reputational damage. To perform this encryption, companies use tools that issue cryptographic keys or digital certificates to ensure that only the correct entities encrypt and decrypt relevant data. For complex platforms interacting with a variety of systems, many different tools may be used for this encryption process, making key management very challenging. Key management systems are what we call the centralized services that oversee and simplify the management of this otherwise very complex process.

Key management extends beyond the workplace, especially with global, hybrid, and remote work. Keys must be generated, distributed, stored, backed up, revoked, destroyed, encrypted, and decrypted efficiently and securely across various applications and devices, without losing track, for everything on the network, including devices like printers, tablets, and phones. It must also perform those tasks securely for remote and hybrid workers of larger companies operating in global markets.

A KMS manages keys in a centralized location, can give reminders before keys expire, and provides support throughout the entire key lifecycle. When operated properly, the KMS facilitates the monitoring and control of keys so they may be managed uniformly and automatically. Tracking key lifecycle through a KMS also helps security teams audit the organization’s handling of keys, potentially identifying security risks before they become data breaches.

Though additional features may differ between key management systems, most share these five primary functions:

• Generation: The KMS creates new cryptographic keys with the desired formats.
• Distribution: The KMS delivers keys to appropriate applications and devices.
• Storage: Keys are encrypted and stored within the KMS.
• Backup and recovery: The KMS creates backups of its keys for recovery from data loss.
• Revocation: The KMS deactivates compromised keys or keys at the end of their lifecycle to prevent further access.