Cryptographic key management is an umbrella term which refers to the various administration processes that govern the life cycle of keys and the keys’ associated crypto material and metadata. Key life cycle stages include, but are not limited to, generation, certification, distribution and revocation, archival and destruction, and each of these stages brings with it particular administrative tasks that must be performed securely in an auditable manner. The exact processes vary depending upon a number of factors, such as key type (symmetric or asymmetric), environment in which they are used and industry.
This document aims to provide an overview of the scope of key management compliance requirements, discuss their impact on the architecture of key management solutions, and offer recommendations for achieving compliance while simplifying audits.