Encryption is a process that uses algorithms to encode data as ciphertext. This ciphertext can only be made meaningful again, if the person or application accessing the data has the data encryption keys necessary to decode the ciphertext. So, if the data is stolen or accidentally shared, it is protected because it is indecipherable, thanks to data encryption.
Controlling and maintaining data encryption keys is an essential part of any data encryption strategy, because, with the encryption keys, a cybercriminal can return encrypted data to its original unencrypted state. An encryption key management system includes generation, exchange, storage, use, destruction and replacement of encryption keys.
Best practice is to use a dedicated external key management system. There are four types:
1. An HSM or other hardware key management appliance, which provides the highest level of physical security
2. A key management virtual appliance
3. Key management software, which can run either on a dedicated server or within a virtual/cloud server
4. Key Management Software as a Service (SaaS)
