Key Management

Key management refers to the processes and systems for generating, storing, distributing, rotating, and revoking cryptographic keys. Poor key management (such as hardcoding keys in source code or storing them in the same place as encrypted data) undermines the security of encryption. Best practices include using dedicated key management services (AWS KMS, Azure Key Vault, HashiCorp Vault), envelope encryption, and automatic key rotation. Key rotation schedules are often required by PCI-DSS and SOC 2.

Why it matters for your website

• 1Foundational principle in modern security — harder to retrofit than to build in from the start
• 2Reduces breach impact by limiting what attackers can access if they get in
• 3Required control in ISO 27001, NIST CSF, and most compliance frameworks