Key management recommendations
Information and Educational Technology recommends that each campus unit create a plan ("key management plan") to manage the electronic keys that let them access their encrypted information.A well-crafted plan, adapted to your environment, will help protect secure access to encrypted information, and help your unit and individual users satisfy university policies and state and federal law.
The key management plan should include these provisions
· A requirement that anyone who stores encrypted institutional data must provide the keys, or other means to access the data, to a person designated by the unit (the "key manager"). The key manager could be the unit's technology support coordinator, management service officer, department chair, or someone similar.
· A template key management agreement between the key manager and each user of encrypted stored data that states: where the data is stored; the tool used to encrypt it; acknowledges that the data shall not be accessed for reasons that conflict with law or university policy; and acknowledges that the user knows and understands relevant university policy.
· Any escrowed key will only be used with consensual or non-consensual approval(s), as specified in PPM310-24.
· One or more strategies to ensure that data can be recovered if the keys are lost or unavailable. These strategies include secure backup procedures, or master keys.
· A provision stating how the key manager will secure all the instructions related to decrypting or accessing encrypted data.
· One or more methods to handle keys that have been, or might be, compromised.
· One or more methods to destroy or revoke unused keys.
· Procedures to develop, document and disseminate the unit's key management plan.
The plan should also clarify the responsibilities of the key managers and encryption users:
Key manager responsibilities
· Knows the university's data encryption recommendations and related university policies (see below).
· Ensures that all encryption keys are secure, however they are stored.
· Understands all processes related to key management.
· Creates a key management agreement, with each user of encrypted data, which identifies where encrypted data is stored, the encryption tool used, and all information needed to access the data when access is allowed or required by policy or law.
· Reviews, at least once a year, information in the key management agreement with the encryption users, to ensure that the information contained is correct and sufficient.
Encryption user responsibilities
· Agrees to a key management agreement with the key manager that states where the encrypted data is stored, the tool used to encrypt it, and acknowledges that the data shall not be accessed for reasons that conflict with law or university policy.
· Knows the university's data encryption recommendations and related policies (see below).
· Knows the key management plan for their area and any encrypted data they use or store.
· Tells the key manager when encryption is no longer used, or if information in the key management agreement changes (eg, there are changes to the keys, or to where the encrypted data is stored).
IET is not recommending any particular technology or specific method for key management, nor are we recommending or supporting a central key repository.Different technologies and arrangements will best meet the needs of different units. Here are some available options:
Key Management Storage Options / ContactAD for departments who have their own AD domain. / Department technical staff. ITPS is available to consult. Contact or (530) 757-8907.
Uconnectfor departments that participate in this service. / Department technical staff. ITPS is available to consult. Contact or (530) 757-8907.
Data Center SAN (file system storage) for Non-Window systems. / Department technical staff. ITPS is available to consult. Contact or (530) 757-8907.
Data Center SAN (file system storage) for Windows systems not joined to an AD domain. / Provided by ITPS or department technical staff. Contact or (530) 757-8907.
For additional information, please consult the following references.You are also encouraged to contact campus security staff to discuss how you use and manage stored encrypted data.
References
IS-3 Electronic Information Security
http://www.ucop.edu/ucophome/policies/bfb/is3.pdf(Revised Feb. 3, 2011)
Encryption at the University of California: Overview and Recommendations;Section 7 of this document addresses key management (April 20, 2006)
UC DavisPPM 310-24 Electronic Communications—Privacy and Access http://manuals.ucdavis.edu/PPM/310/310-24.pdf
UC DavisPPM 310-75 Whole Disk Encryption
http://manuals.ucdavis.edu/PPM/310/310-75.pdf
NIST Guide to Storage Encryption Technologies for End User Devices http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf
NIST Special Publication 800‐57: Recommendations for Key Management http://csrc.nist.gov/publications/nistpubs/800‐57/SP800‐57‐Part1.pdf http://csrc.nist.gov/publications/nistpubs/800‐57/SP800‐57‐Part2.pdf
http://csrc.nist.gov/publications/nistpubs/800‐57/SP800‐57‐Part3.pdf
NIST Cryptographic Algorithms and Key Sizes for Personal Identity Verification (February 2010)