Algorithms, step-by-step processes designed to tell a computer what to do and how to do it, are used to encipher data. Passwords and crypto keys are strings of characters needed to decrypt enciphered data. If these strings are not properly managed, you can lose the ability to decrypt this data forever. That is why proper key management is so important any time you are using cryptography on your systems. When using Blockchain, it can be especially important.
The most notable use of Blockchain to date is in Cryptocurrency. Last December, the 30-year-old founder of the Canadian cryptocurrency exchange QuadrigaCX reportedly died abroad. Unfortunately, he went to his reward without telling anyone the password for his storage wallet, causing the loss of up to 190 million dollars. What a mess! The exchange is now out of business and the court has appointed a monitor (Ernst & Young) and law firms to represent QuadrigaCX customers. An object lesson indeed for employing proper key management.
It should also be noted that with Blockchain, key management can be difficult. It uses atypical cryptographic algorithms that are not compatible with many current applications. To start, users generate a private key to sign transactions when an account is created. In order to share information, Blockchains generate public keys that are accessible to all from these private keys using complicated algorithms. There are also new terms you have to get used to such as hot keys and cold keys, and you need to understand the different ways you can use them.
But despite these differences and difficulties, there are common policies and processes that should be addressed when managing all encryption keys. One policy you need to address is access to keys. Who can make them, view them or copy them? Should you employ dual controls to assure that no one person alone can compromise the keys? How do you assure that authorized persons can access the keys in emergency situations?
Then there is the question of key storage. Best practices have always been to store keys in totally separate air-gapped systems if at all feasible. But if not, how can you assure that they are totally protected from hackers and malware? Also, if you use air-gapped systems, how do you assure their physical security from internal attackers?
Also, you should have layers of monitoring around key systems. This doesn’t only include verbose logging and monitoring of activity in key management systems, but also management monitoring and oversight of processes and personnel. All these points and more should be addressed in written policies and procedures. Without employing proper policies and processes, no key management system is complete.