Skip to main content

Key Management System (KMS)

In the OID application, the Key Management System (KMS) plays a critical role in ensuring the security and integrity of our data by managing cryptographic keys and secrets. The design of our KMS is focused on providing robust security features while maintaining ease of use and scalability.

Key Principles

Our KMS adheres to the following principles to ensure the highest level of security:

  • Confidentiality: Ensuring that keys are only accessible to authorized entities.
  • Integrity: Preventing unauthorized modification of keys.
  • Availability: Ensuring that keys are available when needed.
  • Auditability: Keeping detailed logs of key access and management operations.

HashiCorp Vault

We have chosen HashiCorp Vault as our KMS due to its comprehensive feature set and proven security.

  • Secure Storage: Vault encrypts secrets at rest and in transit, ensuring that data is protected from unauthorized access.
  • Dynamic Secrets: Vault can generate secrets on-demand, reducing the risk of secret sprawl and ensuring that secrets are only available when needed.
  • Access Control: Fine-grained access control policies allow us to define who can access which secrets and under what conditions.
  • Audit Logs: Vault maintains detailed logs of all operations, providing a comprehensive audit trail for security and compliance purposes.
  • Extensibility: With its plugin system, Vault can integrate with various backends and extend its capabilities as required.
AWS Key Management Service as an alternative

Depending on specific requirements, the OID application can also utilize AWS Key Management Service (KMS), which offers a fully managed key management service.

  • Managed Service: AWS KMS handles key storage, management, and rotation, reducing the operational burden on our team.
  • Integration: It seamlessly integrates with other AWS services, simplifying the management of keys across our infrastructure.
  • Compliance: AWS KMS is compliant with various industry standards and regulations, helping us meet our compliance requirements.
  • Scalability: As a fully managed service, AWS KMS scales automatically with our usage, ensuring high availability and performance.

Key Rotation and Expiry

Regular key rotation is a critical aspect of our KMS strategy to minimize the risk of key compromise. Our policies ensure that:

  • Automated Rotation: Keys are rotated automatically at regular intervals, reducing the risk of long-term exposure.
  • Key Expiry: Expired keys are securely archived and eventually destroyed, ensuring that they cannot be used after their validity period.
  • Notification: Systems and users are notified in advance of key rotations and expirations, ensuring a smooth transition.

Key Usage Monitoring

To ensure the security and proper usage of keys, we implement continuous monitoring and alerting:

  • Usage Metrics: We collect detailed metrics on key usage, including access patterns and anomalies.
  • Alerting: Automated alerts are triggered for suspicious activities, such as unauthorized access attempts or unusual key usage patterns.
  • Incident Response: In the event of a security incident, we have predefined response procedures to quickly mitigate risks and recover compromised keys.