Key archival is an important security process that involves securely storing encryption keys for long-term retention. Archived keys may be needed in the future to recover encrypted data, but they should be kept in a highly secure repository with strict access controls. The key archival process requires careful planning and implementation to ensure keys remain protected throughout their lifecycle.

Where did this come from?

This article is based on Control CEK-18 Key Archival from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can download the full Cloud Controls Matrix from the Cloud Security Alliance website. For more information on managing encryption keys in AWS, check out the AWS Key Management Service Developer Guide.

Who should care?

• Security engineers responsible for designing and implementing key management solutions
• Compliance officers who need to ensure adherence to legal and regulatory requirements around data encryption
• Developers building applications that leverage encryption to protect sensitive data
• IT operations teams who may need to recover encrypted data using archived keys

What is the risk?

Poor key archival practices can lead to a few scary situations:

• Permanently losing access to important encrypted data if the keys are lost
• Unauthorized access to sensitive data if archived keys are not properly secured
• Regulatory fines and reputational damage from non-compliance with encryption requirements

While scary, these risks can be largely mitigated through a well-designed key archival process. Likelihood of issues is low if best practices are followed, but consequences of losing keys can be severe.

What's the care factor?

For companies dealing with regulated personally identifiable information (PII), protected health information (PHI), or sensitive intellectual property, key archival should be a top priority. Losing the ability to decrypt important data can be catastrophic. For less sensitive data, key archival may be a lower priority but is still a security best practice. Be pragmatic and assess criticality of the data.

When is it relevant?

Key archival makes sense when:

• Encrypting data for long-term storage where keys may not be used regularly
• Encryption is used to protect highly sensitive/regulated data
• Legal or compliance requirements mandate encryption key archival

Key archival may be overkill when:

• Dealing with low sensitivity data
• Encryption keys are rotated frequently and old keys are not needed
• Key management system already has robust backup/restore capabilities

What are the tradeoffs?

Implementing key archival does require some effort and tradeoffs:

• Added complexity to encryption key management processes
• Operational overhead to securely manage archived keys
• Cost of secure key storage systems and auditing tools
• Slight performance impact from archival/retrieval operations

However, for sensitive data, the security benefits usually outweigh the costs. It's an investment to prevent more costly incidents.

How to make it happen?

Here's a high-level overview of implementing secure key archival in AWS:

1. Design your key hierarchy and decide which keys need to be archived
2. Create a dedicated Amazon S3 bucket with encryption and strict access policies to store archived keys
3. Setup AWS Identity and Access Management (IAM) roles with least privilege access to the S3 archive bucket
4. Define a process to archive keys using the AWS Key Management Service (KMS) GetParametersForImport API to securely retrieve key material and upload to the S3 archive
5. Implement a process to retrieve archived keys with KMS ImportKeyMaterial API when needed
6. Use AWS CloudTrail to log all activity on the S3 archive bucket and KMS keys
7. Schedule regular audits of IAM policies, S3 bucket config, and CloudTrail logs to ensure process is secure

For all the nitty gritty details, check out this AWS blog post on archiving and retrieving secrets.

What are some gotchas?

A few things to watch out for when setting up key archival in AWS:

• The IAM role used for archival needs kms:GetParametersForImport permission on the KMS key and s3:PutObject on the archive bucket
• Retrieving archived keys requires kms:ImportKeyMaterial permission. Be very selective which roles/users can retrieve keys
• Archival and retrieval operations should ideally be done from a locked-down admin machine versus a regular developer laptop
• Deleting an archived key from S3 is irreversible. Be extremely cautious when deleting any archived key material

Docs for your reference:

• AWS KMS API Permissions Reference
• Amazon S3 Actions and Condition Context Keys for IAM Policies

What are the alternatives?

Native AWS services like S3 and KMS actually provide excellent key archival capabilities out-of-the-box. However a few other options to consider:

• Cloud HSMs like AWS CloudHSM or Azure Dedicated HSM provide FIPS 140-2 Level 3 compliant hardware storage for archiving keys for the most sensitive data
• 3rd party key management tools like Hashicorp Vault can handle key archival across multiple clouds
• For on-premises use cases, physical HSMs or offline removeable media may be used for key archival

Explore further

Here are some additional resources to dive deeper on encryption key archival:

• NIST SP 800-57 Pt. 1 Rev. 5 - Recommendation for Key Management: Part 1 – General
• CIS Controls v8 - Control 3.11: Encrypt Sensitive Data at Rest
• Wikipedia - Key Management

Hope this helps demystify the world of encryption key archival. Remember, keep those keys locked up tight!

‍