Key Lifecycle
Keys are never persistently stored in plaintext.
General rules
- unwrap only when needed
- keep in locked memory
- use immediately
- cleanse after use
Lifecycle steps
- Wrapped key loaded from storage
- Unwrapped in secure memory (mlock)
- Used for crypto operation
- Memory zeroized
- Freed
Special cases
KSK
entered manually at startup
used to unwrap SUKs
immediately discarded
SUK
kept in secure memory during runtime
WSK / EVK
unwrapped per request
discarded immediately
DEK
derived temporarily
discarded immediately
Goal
Minimize:
exposure time
attack surface
memory residency