Data-At-Rest Encryption Keys Best Practices

Encryption Key Best Practices:

Your encryption key (symmetric) must be 256-bit long.

You should store your encryption key away from the encrypted data sets.

Your key vault must be able to withstand “advanced persistent threats” (APT’s).

Only the data owner should be able to make use of the encryption key no matter where your key locker is located.

Your encryption key must be available when needed.

You should be able to rotate your encryption key when needed.

You should be able to revoke your encryption key easily.

Revocation of the encryption key should not necessitate decryption/re-encryption of data sets.

If your server is hosting data sets that belong to more than one data owner, then each data owner must have their own encryption key that is used to encrypt their own data set.

You should remain in control of your own encryption key at all times irrespective of where you decide to store your key or deploy your host server. With Server General you have two options – you can store your encryption keys in a secure key locker virtual appliance designed to protect your keys against insider/outsider attacks or within our highly secure and managed cloud key management infrastructure. In both instances we encrypt your encryption key with a passphrase that is only known to you before storing your key in the key vault. This way only you can reconstitute the key once it has been retrieved from the key vault. Moreover, our data-at-rest encryption offering liberates you from your cloud vendor lock-in. You can move your workload from one cloud platform to another without having to decrypt your data first. You will simply move the cipher bits over to the new server. This is not possible if you are using data-at-rest encryption offering of your cloud vendor.