KEY ESCROW
Key escrow is a security measure that involves storing cryptographic keys with a trusted third party, or escrow agent, so that under certain conditions, access to encrypted data can be provided if needed. This concept is often used in scenarios where data recovery is critical, such as in enterprise environments or law enforcement contexts.
1. Key Generation – All keys should be generated using a certified random number generator. Typically, this will be completed using a Hardware Security Module. This ensures that the key exists in one of the three acceptable formats.
2. Key Distribution – Once a key is generated inside a Hardware Security Module, it may need to be distributed to various end points for usage. If a key must be distributed, it should only be distributed in parts, or as encrypted by another key of equal or greater strength.
3. Key Storage – If a key is to be stored outside of a Hardware Security Module, it should be stored in parts or as encrypted by another key of equal or greater strength.