Key encryption key to work with key rotation policies

Enterprise requires security at every level. The data at transit as well as at rest needs to be encrypted. This got more important when enterprises started hosting in cloud providers. Simple encryption using a key is fine, but there are scenarios where the key needs to be changed. In the cryptography world, it is called Key rotation¹. 

When we rotate keys, there are many questions such as should we keep the old keys to decrypt stored data? if so how long and how many old keys do we need to keep?

Background

The basics such as what is the encryption key? What is symmetric and asymmetric encryption² are skipped here. Directly going to the enterprise practices.

• Encrypt the data at rest³
• The encryption key should be rotated in a fixed interval.
• The key management should be in the hands of the enterprise even in the cloud. No cloud-provided managed keys.

Why we are rotating the keys is to secure data even if the key is leaked and the attacker didn't try to decrypt within the rotation interval.

Problem

If we simply use one key and change it, we cannot decrypt the old data unless we keep all old keys associated with the data. If the frequency of key rotation is a month or year, it's fine we can keep the keys. But if the key needs to be rotated every day or 12 hours, it would be difficult.

In case the key is leaked, the person obtaining the key can decrypt the old data. 

Why can't we re-encrypt?

We can think of why can't we decrypt the data with the existing key and encrypt it again with the new key? Technically it is possible but it's an intensive computer process that requires a lot of resources. Depending upon the amount of data, compute resource availability, and the key rotation interval it may not be practical at all. 

By the time we decrypt and encrypt, it would be time to rotate the key again. 

Solution

There is a simple solution to it to satisfy the enterprise's needs.

Encrypt always with the same key, encrypt that key with another key and rotate the key-encryption key.

• The first key that encrypts input data is called the data encryption key. This is often randomly generated. 
• The key that is encrypting the data encryption key is called the key-encryption key. This is sometimes referred to as the master key⁴.
• Keep the master key unencrypted
• Rotate the master key in the defined intervals.

Photo credits.

If we follow this practice, we can satisfy the demand of key rotation but with fewer resources. We always use the same key to encrypt the data and then keep that key in an encrypted fashion.

Is this full proof?

When it comes to computer security it is not will it is when. Below are a few cons

• In this key-encryption key mechanism, there is a problem if the data encryption key is leaked.
• This involves double encryption. In order to get data, the data encryption key needs to be obtained by decrypting using a key-encryption key and then decrypting the original data.

References

• ¹ https://ldapwiki.com/wiki/Key%20Rotation
• ² https://en.wikipedia.org/wiki/Key_(cryptography)
• ³ https://en.wikipedia.org/wiki/Data_at_rest
• ⁴ https://link.springer.com/referenceworkentry/10.1007/978-1-4419-5906-5_86#Sec3_86