---
name: encryption-key-management
description: Manage encryption keys, certificates, and cryptographic operations across infrastructure. Use when implementing encryption at rest/in transit, managing key rotation, deploying SSL/TLS certificates, maintaining HSM, enforcing encryption compliance, or managing key lifecycle. Triggers on phrases like "key management", "certificate management", "encryption", "TLS certificate", "key rotation", "HSM", "cryptographic keys", "encryption compliance".
---

# Encryption & Key Management

Ensure comprehensive encryption coverage across all data stores and secure management of cryptographic keys and certificates.

## Workflow

### 1. Encryption Assessment & Planning

1. **Encryption inventory and gap analysis**:
   - Scan all storage systems for encryption status (databases, file servers, cloud storage, backups, endpoints)
   - Identify unencrypted data stores and classify by risk level
   - Assess current encryption algorithms, key lengths, and protocols
   - Create remediation roadmap prioritized by data sensitivity

2. **Encryption architecture design**:
   - Define encryption strategy: at rest (AES-256), in transit (TLS 1.3), key management approach
   - Select key management platform (KMS, HSM, cloud-native)
   - Design key hierarchy: master keys, data encryption keys, wrapping keys
   - Plan for key escrow and emergency recovery

3. **Compliance requirements mapping**:
   - Map encryption requirements to applicable frameworks (PCI-DSS, HIPAA, GDPR, SOC 2)
   - Define minimum encryption standards by data classification level
   - Document encryption exceptions with risk acceptance

### 2. Key Management Operations

1. **Key generation and storage**:
   - Generate cryptographic keys using FIPS 140-2 validated modules
   - Store master keys in HSM or cloud KMS (never in plain text)
   - Implement key wrapping for data encryption keys
   - Separate key storage from encrypted data storage

2. **Key rotation lifecycle**:
   - Automated key rotation on defined schedule (encryption keys: annually, TLS keys: per certificate renewal)
   - Zero-downtime key rotation using key versioning
   - Rotate keys immediately after security incidents or key compromise suspicion
   - Document all key rotation events with timestamps

3. **Key backup and recovery**:
   - Encrypt and securely store key backups (shamir secret sharing, multi-part backups)
   - Test key recovery procedures quarterly
   - Define key recovery access controls (dual control, multi-person authorization)
   - Document key recovery runbooks for each system

4. **Key decommissioning**:
   - Define key retention periods by compliance requirement
   - Secure key destruction when retention period expires
   - Maintain key archival for data that may need future decryption
   - Document key retirement events

### 3. Certificate Management

1. **Certificate inventory and lifecycle**:
   - Discover all SSL/TLS certificates across infrastructure (servers, load balancers, applications, IoT devices)
   - Track certificate: issuer, subject, validity dates, key type, associated systems
   - Set expiry monitoring with alert thresholds (90, 60, 30, 14, 7 days)
   - Map certificate dependencies and impact of expiration

2. **Automated certificate provisioning**:
   - ACME protocol for Let's Encrypt / internal CA certificate issuance
   - Automated deployment to target systems upon issuance
   - Pre-expiration renewal automation (start at 30 days before expiry)
   - Rollback to previous certificate if deployment fails

3. **Certificate security standards**:
   - Enforce minimum key lengths (RSA 2048-bit, ECDSA P-256 minimum)
   - Disable deprecated protocols (SSLv3, TLS 1.0, TLS 1.1)
   - Enforce strong cipher suites (TLS 1.2+, AEAD ciphers)
   - Certificate pinning for critical applications
   - OCSP stapling for performance

4. **Internal PKI management**:
   - Maintain internal Certificate Authority hierarchy (Root CA → Intermediate CA → Issuing CA)
   - Root CA key stored offline in HSM
   - Automated CRL/OCSP responder management
   - Certificate template management per use case

### 4. Encryption Implementation

1. **Data at rest encryption**:
   - Enable TDE for databases (SQL Server, PostgreSQL pgcrypto)
   - Encrypt cloud storage (S3 SSE-S3/SSE-KMS, Azure Storage Service Encryption)
   - Full disk encryption for all endpoints (BitLocker, FileVault, LUKS)
   - Encrypt backup data with separate encryption keys
   - Encrypted volumes for sensitive application data

2. **Data in transit encryption**:
   - TLS 1.2+ for all external-facing services
   - Internal service-to-service mTLS via service mesh
   - Encrypted database connections
   - VPN/tunneling for site-to-site connectivity
   - End-to-end encryption for sensitive communications

3. **Application-level encryption**:
   - Field-level encryption for highly sensitive data (SSN, credit cards, PHI)
   - Client-side encryption for zero-knowledge applications
   - Tokenization for payment data (PCI compliance)
   - Application-managed encryption keys (Bring Your Own Key)

4. **Encryption monitoring and compliance**:
   - Continuous scanning for unencrypted resources
   - Alert on new unencrypted resource creation
   - Encryption compliance reporting by system and data type
   - Penetration testing validation of encryption implementation

### 5. Encryption Key Access Controls

1. **Access policy management**:
   - Define key access policies by role (encrypt, decrypt, administer, audit)
   - Implement least privilege for key operations
   - Require MFA for key administrative operations
   - Audit logging for all key operations

2. **Emergency access procedures**:
   - Break-glass access procedure for key operations during incidents
   - Multi-person authorization for emergency decryption
   - Automated alerting on emergency access usage
   - Post-emergency access review and credential rotation

## Templates & Frameworks

### Key Rotation Schedule

```
KEY ROTATION CALENDAR — 2025
============================

Key Type           | Rotation Period | Next Rotation | Method
-------------------|----------------|---------------|------------------
Master Keys (HSM)  | Annual         | 2025-06-15    | Dual control
Data Enc Keys      | Quarterly      | 2025-07-01    | Automated wrap
TLS Certificates   | Per expiry     | Auto-renewal  | ACME/Let's Encrypt
DB TDE Keys        | Semi-annual    | 2025-09-01    | Zero-downtime
API Keys           | Monthly        | 2025-05-01    | Automated rotation
Customer Encrypt   | Per request    | As needed     | Application-managed
Backup Keys        | Annual         | 2025-11-01    | Offline ceremony
```

### Certificate Expiry Monitoring

```
CERTIFICATE STATUS — April 2025
================================

EXPIRY RISK:
  🔴 Expiring < 7 days: 2 certificates (immediate action required)
     - api.example.com — expires Apr 22 — auto-renewal FAILED
     - internal-db.company.net — expires Apr 20 — manual renewal needed
  ⚠  Expiring < 30 days: 5 certificates (scheduled for renewal)
  ✓  Healthy (> 30 days): 127 certificates

CERTIFICATE COMPLIANCE:
  TLS 1.3 enabled: 89%
  Strong ciphers only: 94%
  OCSP stapling: 76%
  Certificate pinning (critical apps): 100%
```

## Integration Points

- KMS platforms (AWS KMS, Azure Key Vault, GCP Cloud KMS, HashiCorp Vault): Key storage and management
- HSM appliances (Thales, Utimaco, AWS CloudHSM): Hardware-based key protection
- Certificate management (Venafi, Digicert, CertManager, Let's Encrypt): Certificate lifecycle
- SIEM: Key operation audit logging and alerting
- Configuration management (Ansible, Puppet, Chef): Automated encryption deployment
- Cloud platforms (AWS, Azure, GCP): Native encryption services
- Database platforms: TDE, column-level encryption capabilities
- Monitoring systems: Certificate expiry monitoring and alerting

## Edge Cases

- **Key loss scenario**: Validate key backup integrity; execute recovery procedure; test decryption of sample data; document incident
- **Certificate emergency renewal**: Bypass normal approval process; deploy via emergency change procedure; post-facto documentation
- **Legacy system encryption limitations**: Implement compensating controls (network segmentation, encrypted tunnels); plan migration timeline
- **Multi-cloud key management**: Use cross-cloud KMS or bring-your-own-key approach; maintain key inventory across all clouds
- **Regulatory key escrow requirements**: Implement compliant escrow mechanism; separate escrow administrator from key administrator

## Output

### Encryption Coverage Dashboard

```
ENCRYPTION STATUS — April 2025
===============================

ENCRYPTION COVERAGE:
  At Rest:  96% (47/49 systems encrypted)
  In Transit: 98% (148/151 connections encrypted)
  Endpoints: 100% (all 1,247 devices with FDE)
  Backups:  99% (all backup systems encrypted)

KEY MANAGEMENT:
  Total active keys: 342
  Keys past rotation date: 0 ✓
  HSM slots in use: 12/24
  Key backup integrity: Verified (last test: 2025-04-01)

CERTIFICATE MANAGEMENT:
  Total certificates: 134
  Auto-renewal configured: 118 (88%)
  Expiring this month: 5
  Non-compliant protocols: 8 (being remediated)

GAPS:
  🔴 2 unencrypted file shares — scheduled for encryption by April 25
  ⚠  8 systems using TLS 1.2 only (TLS 1.3 upgrade planned)
```

## Trigger Phrases

"encryption", "key management", "certificate management", "TLS certificate", "key rotation", "HSM", "cryptographic keys", "encryption compliance", "encrypt data", "certificate expiry", "PKI", "TDE", "encryption at rest", "encryption in transit", "key backup", "certificate renewal", "mTLS", "key escrow"