10 Key Management Best Practices You Should Know

1. Algorithms and key sizes

  • Algorithm: depending upon the use case, either a symmetric algorithm (such as AES) or an asymmetric algorithm (such as RSA or ECDSA) should be selected.
  • Key size: the larger the key, the more secure it is and the longer it will provide protection, but performance may be impacted (especially with large asymmetric keys). The choice of key size (typically 128 or 256 bits for AES keys, or 2,048 or 4,096 bits for RSA keys) should therefore be made carefully.
  • Agility: be prepared to change algorithms and/or key sizes, as algorithms become weaker over time. Be aware of the threat of quantum computing and be prepared to shift to new post-quantum algorithms when necessary.

2. Key lifecycle management

  • Key generation: it is important that keys are cryptographically strong. Like a good password, this requires a high degree of randomness. Software or hardware incorporating a NIST-certified random number generator should be used.
  • Key rotation: in the same way that passwords should be updated periodically, it is good practice to update (or “rotate”) encryption keys periodically. The frequency of rotation depends on the type of key and how and where it is used.
  • Key retirement: when no longer required, a key should be retired. Generally, this means permanently deleting it to ensure there is no further risk and to reduce the number of active keys being managed.

3. Secure storage

4. Access Control

5. Secure Distribution

6. Key Usage

7. Availability

8. Audit logs

9. Processes

10. Centralized Key Management System

  • Secure and efficient key generation, storage, and distribution
  • Enforcing policies and procedures, such as access controls, segregation of duties, and split knowledge
  • Simplifying management processes and automating common tasks
  • Ensuring keys are highly available and always backed up
  • Maintaining a comprehensive audit log



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



Fortanix™ has created the world’s first runtime encryption solution. Enterprises get provable, portable, and preventive security for their applications!