Encryption Key Rotation is Useless — Here’s Why

StrongSalt
Nov 7, 2019 · 3 min read

When it comes to securing data for storage or transfer, encryption is the gold standard. Adequately encrypted data puts up a roadblock that can slow down and potentially stop would-be hackers.

It is essential to understand the limitations and potential risks related to this data privacy security technique, however. Even the most well-planned encryption practices can fail if you aren’t addressing encryption vulnerabilities that can leave data at risk.

Encryption Key Management Overview

Encryption key management refers to the handling of the keys that unlock encrypted data. While some of these tasks are typically automated, most of the time employees have a hand in the protection, storage, and back-up of encryption keys.

Perhaps most importantly, encryption keys must remain retrievable no matter if the encryption is centralized or decentralized.

Companies need to carefully manage their encrypted data systems, particularly when it comes to key expiration and key rotation. Lost keys can lead to data breaches or situations where the data cannot be retrieved.

Encryption keys usually have a set expiration date so that data encryption can be renewed or “rotated” regularly, theoretically adding to the inherent protection encryption can provide. New, cryptographic key material is re-keyed, and a new expiration date is set.

Encryption Key Rotation Issues

While retiring and refreshing keys seems like an obvious safeguard against data loss, managing key rotation introduces a few prominent issues.

· The key rotation process can become too cumbersome, especially when multiple approaches are being applied.

· Employees can miss vital steps when processes become too complicated, as is often the case with key management systems.

· Accurately tracking key expiration and rotation is vital, yet often quite challenging to manage — lost keys are a common data encryption issue.

· Making the wrong choice about who should be permitted access encryption keys can have dire consequences.

These issues share one notable commonality: human error. No matter how robust a data encryption system may appear, the greater the human involvement, the less secure it actually may be. People are simply prone to occasional mistakes.

In the end, many companies choose to turn off their encryption software rather than deal with the complexity, confusion, and extra work involved with key management. It can seem better to forego this security measure versus doing it badly.

Does key rotation even improve security?

On top of simple human error, even in the best-case scenario, key rotation may do little to protect data. Worse, the practice may lull SecOps teams into a false sense of security.

Ed Yu, Founder and CEO of StrongSalt points out that in a typical key management system, key rotation does little to protect data in the long run.

“Typically, a security team will encrypt a file with symmetrical key and then encrypt the key with an asymmetrical key,” he explains. “Later, they may need to revoke access, for instance, when an employee leaves.”

“The problem is that the files the employee had access to were encrypted with symmetrical keys. So even if you rotate the asymmetrical key, the file’s symmetrical key is unchanged,” he adds.

In other words, Yu says, key rotation does nothing to actually help secure the data.

What if working in encryption management could be keyless?

Many IT departments turn to the myriad onprem and cloud-based software options marketed to them to help manage key encryption. The majority of these leave SecOps teams with the same underlying issue. Humans are still handling tasks that can put data at increased risk.

Modern encryption needs require a modern solution. StrongSalt has developed a new way to handle encryption, one that removes the risk of human errors. In fact, this system eliminates the need to manage encryption keys altogether.

StrongSalt’s encryption as a service API gives companies a decentralized, keyless management method that goes beyond data security. This innovative service allows for searchable, shareable encryption as well as immutable auditing of your data.

Learn more about how StrongSalt is building a new privacy infrastructure for the internet.

StrongSalt

Written by

Encryption platform as a service building a new privacy infrastructure for the internet. www.strongsalt.com

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade