Key management
Key management comprises all processes for the secure generation, distribution, storage, use, rotation and destruction of cryptographic keys across their entire lifecycle.
Key management refers to the entirety of organisational and technical measures used to handle cryptographic keys securely throughout their complete lifecycle. This lifecycle ranges from generation with sufficient entropy, through secure distribution to authorised parties, protected storage, controlled use and regular rotation, all the way to revocation, archiving and the final destruction of keys that are no longer needed. Because the security of any cryptographic scheme depends, according to Kerckhoffs's principle, solely on the secrecy of the key and not of the algorithm, robust key management is the central prerequisite for encryption and digital signatures to actually deliver their protective effect.
At the heart of resilient key management are clearly defined roles, documented responsibilities and technical safeguards. Keys should be generated and held in dedicated security components such as hardware security modules (HSM) or protected key management systems, so that private key material ideally never leaves the secured module in plaintext. Key principles include the separation of key types (for example key-encryption keys and data keys), the four-eyes or split-knowledge principle for sensitive operations, rotation aligned with the cryptoperiod, and defined emergency procedures for compromised keys. Complete logging of all key-related operations ensures traceability and forms the basis for audits.
From a compliance perspective, key management is a mandatory component of an effective information security management system (ISMS). ISO/IEC 27001 explicitly requires rules on the use of cryptography including the key lifecycle in Annex A (Control A.8.24 Use of cryptography), and the German BSI IT-Grundschutz addresses the topic in module CON.1 Cryptographic concept. The NIS2 Directive and its national transposition likewise require affected entities to use cryptography and encryption as a risk-management measure, which is unattainable without orderly key management. In data protection terms it is relevant under Article 32 GDPR as a technical measure, because insecurely managed keys undermine the protective effect of encryption and can thus lead to a notifiable personal data breach.
Legal Basis
ISO/IEC 27001 Annex A (A.8.24); BSI IT-Grundschutz CON.1 (Cryptographic concept); Art. 32 GDPR; Art. 21 NIS2 Directive (EU) 2022/2555
Practical Example
A mid-sized mechanical engineering company qualifies as an important entity under the NIS2 obligations. The information security officer discovers that TLS certificates and database encryption keys have so far been maintained manually in a spreadsheet and have not been rotated for years. He introduces a central key management system with HSM integration, defines cryptoperiods and automatic rotation, establishes the four-eyes principle for exporting key material, and documents the entire lifecycle in a cryptographic concept following BSI CON.1. At the next ISO/IEC 27001 audit he can demonstrate the effectiveness of Control A.8.24 and reduces the risk that a compromised key turns into a notifiable security incident.