Key Management

Does 2Encrypt provide key management?

Yes. Red Iron can implement an end-to-end solution for automated encryption key management and encryption throughout the enterprise. 2Encrypt will also work with a variety of 3^rd party automated encryption key management solutions. We can make recommendations to retailers as to what key management solutions might best suit their needs.

In cases where a retailer has a network configuration that makes traditional automated key distribution impossible, Red Iron has created a key management utility that provides the basic operations required to conform with PCI requirements. This utility, however, lacks the robust key management facilities that a full key management solution would provide.

Which key management systems work with 2Encrypt?

Key management providers can be chosen on their own merits without much concern for 2Encrypt. Implementing a new plug-in for an as yet un-encountered key management provider is straightforward. Thus far, 2Encrypt has been implemented with the Windows 2003 Certificate Server, Ingrian DataSecure hardware device and the Red Iron Key Management utility. We have done a proof of concept with PGP, a generic LDAP approach, and a number of others.

How does 2Encrypt get its keys?

This depends on which Key Management approach you want to configure 2Encrypt to use. 2Encrypt will interface with any Key Management approach in use by the retailer. Common options include Windows Cert Server and hardware key management solutions such as those offered by Ingrian Technologies. If a retailer does not have a network that encompasses all of the store locations, Red Iron has created a manual file-based approach that can be used for key management.

2Encrypt doesn’t prescribe the key management approach to be taken. 2Encrypt uses a plug-in model for interfacing with automated key management solutions enabling us to work with any key management provider. The keys that we obtain from the key management provider will rotate on the schedule desired by the retailer and the key strength used and the rules around the retention of the keys will all be left to the retailer.

How can I be sure the keys are safe?

We cache keys in a secure store on the machines that are running 2Encrypt. We delegate the storage of key data to the Windows operating system allowing the built-in Windows key protections to provide the keys with security against discovery.

How do I rotate keys?

The rotation of keys relies, again, on the specific key management approach used. Where the rotation of keys is an integrated portion of the key management provider, we delegate the scheduled rotation of keys to the key management provider. Where key rotation is not a built-in feature of the retailer’s chosen key management approach, we parameterize the 2Encrypt configuration to request new keys on a schedule that works for the retailer. There is no restriction on the number of keys in use at any given time, so the rotation of keys happens as a normal course of operation with 2Encrypt and doesn’t require that the data be migrated out of any previous keys that were in use.

What if a key is compromised?

If a key is compromised, the recovery, from a 2Encrypt perspective, is straightforward. It involves identifying the key as compromised in the key management interface, then running 2Encrypt with a command line that will move all the data on the machine into the newest key available from the key management provider. That ensures the retailer that none of the data on the machine will be encrypted using the compromised key.