Standard:
YALE-MSS-7.3: Encrypt data in transit and at rest
YALE-MSS-7.3.2: Ensure proper key lifecycle management
Low Risk Endpoint
Not Required
Moderate Risk Endpoint
Required
High Risk Endpoint
Required
Low Risk Server
Not Required
Moderate Risk Server
Required
High Risk Server
Required
Low Risk Mobile Device
Not Required
Moderate Risk Mobile Device
Required
High Risk Mobile Device
Required
Low Risk Network Printer
Not Required
Moderate Risk Network Printer
Required
High Risk Network Printer
Required
Details
Proper key life-cycle management means securely creating, distributing, storing, and maintaining encryption keys.
Creation
Keys must be created using secure algorithms to ensure randomness and strength.
- Public/private key pairs should use a 4096-bit key length.
- The recommended symmetric block cipher is AES with a 256-bit key length.
Distribution
All keys must only be shared between parties through secure protocols. For asymmetric keys, the public key is shared openly, while the private key remains confidential.
Storage
All keys must be stored securely.
- Typically storage is handled via hardware security modules (HSMs) or encrypted key vaults.
- Access to the storage solution must be protected by multi-factor authentication and appropriate authorization. These access controls should meet the MSS for high-risk data.
- Note: There are Yale-contracted cloud storage solutions for secure key management.
Maintenance
Maintenance includes the periodic rotation of keys as well as key revocation/destruction when necessary.
- Rotation: Keys are periodically replaced to reduce the risk of exposure or compromise.
- Revocation/Destruction: Keys that are no longer secure or no longer needed are invalidated and/or securely deleted.