Keys and Secrets Management Introduction
Key and Secrets Management (KSM) is the practice of managing the full life cycle of cryptographic and digital data to which access must be strictly controlled. KSM facilitates central management in operating applications and access to data and applies automation and digital records tracking to the problem of key proliferation and data access. KSM can also help with replacing credentials more frequently, which reduces the risk of compromise.
A secret is a digital authentication credential to be presented to a system, while a key is a specific cryptographic artifact (as well as a type of secret). Consider some of the secrets that applications must manage:
- User passwords
- Root passwords
- Application and database passwords
- Auto-generated encryption keys
- Private encryption keys
- Application Programming Interface (API) keys
- Application keys
- Secure Shell (SSH) keys
- IAM secret keys
- Programmatic access keys (project / client IDs)
- Authorization tokens
- Bearer tokens
- Certificates
- Private certificates (e.g., Transport Layer Security (TLS), Secure Sockets Layer (SSL))
- RSA and other one-time password devices
- Account tags
- Passphrases
- Any other application tokens that are deemed confidential
In addition, many of these secrets are registered and managed in external systems, with corresponding expiration dates, renewal dates, and other timelines that must be managed lest these credentials expire and cause an outage. There are also compliance issues with key management. It is crucial to ensure adherence to the Least Privilege principle while managing credentials and access control. Increasingly, keys must be issued and rotated automatically across many applications. This burden exceeds the capability for manual tracking with spreadsheets, desktop databases, or paper. It is a complex problem.
Key management differs from secrets management. The basic life cycle steps for each are below.
- Key Management Life Cycle
- Generation
- Use and distribution
- Storage
- Escrow and Backup
- Accountability and audit
- Key Rotation
- Key Revocation
- Secrets Management Life Cycle
- Store a secret.
- Modify secret attributes.
- Associate a user or application with a secret.
- Issue a secret to a user (on demand).
- Destroy a secret.
- Audit usage.
In key management, particularly when implemented with Hardware Security Modules (HSM), the keys never leave the system. This differs from secrets management where the secrets may be retrieved from the system by approved users / roles. A secrets management system is designed to store any kind of secret, while key management system is used to specifically manage keys for encryption.
Per the CMS TRA’s recommended practice RP-KSM-1, “Applications Should Use a KSM to Manage Keys and Secrets.” CMS Cloud recommends use of the AWS Secrets Manager.
The ISPG Key Management Handbook summarizes practices related to secrets management as well as key management. In particular, the section Key Management Lifecycle Best Practices provides a comprehensive guide.
References:
CMS CIO Memo on encrypting sensitive data: CMS Strategy for Encrypting Sensitive Information, May 6, 2021
HHS Policy for Encryption of Computing Devices and Information: Encryption Requirements