2024-10-08
In this KEYMASTER session, Jiannis Papadakis, Director of Solutions Engineering EMEA at Keyfactor, and Sven Rajala, International PKI Man of Mystery at Keyfactor, discuss the concept of Bring Your Own Key (BYOK) within the context of Hardware Security Modules (HSMs) and Public Key Infrastructure (PKI).
Watch the KEYMASTER episode here:
The key points covered include:
Understanding HSM Vendor Dependency
HSMs securely generate and store cryptographic keys, making the transfer of keys between different HSMs challenging by design. This can result in a certain level of vendor dependency, which in turn makes the choice of HSM vendor a significant and long-term decision.
When Key Export and Import should be possible
When securely moving cryptographic keys to a different platform, such as the cloud, the concept of wrapping is essential. This involves exporting keys in a secure format that other HSMs can recognize, allowing migration between different environments. However, keys must be configured as exportable at the time of generation, as policies generally cannot be altered later.
Trade-offs of Key Exportability
While configuring keys as exportable facilitates migration, it also introduces security risks. Therefore, extra precautions such as multi-factor authentication and strict procedural controls are recommended to safeguard exportable keys.
Greenfield vs. Migration
When moving to the cloud, there are options to either start fresh (greenfield) or use existing PKI infrastructure. Maintaining the root CA on-premises while deploying new sub-CAs in the cloud is often recommended, as it allows continuity of trust chains without a complete overhaul.
BYOK as a Strategic Choice
BYOK provides organizations with the flexibility to adapt their key management strategies as they evolve. However, it’s crucial to weigh the risks associated with exportable keys and to have a well-thought-out plan that aligns with organizational needs for security and adaptability.
BYOK impacts HSM vendor dependency, secure key migration, and the balance between key exportability and security. It is important to plan for key export options from the outset, and organizations can consider either a Greenfield cloud approach or integrating existing root CA structures. Ultimately, BYOK provides flexibility in key management, but organizations must carefully assess the associated risks and ensure alignment with long-term security needs.
Blog - The Role of HSMs in PKI and Signing Solutions