Key management #
Acra uses a multitude of encryption keys for different purposes:
- Acra Master Key – the main key, typically stored in KMS / secure storage, and used to encrypt other keys;
- storage keys for encrypting/masking/tokenizing the data. Each data field is encrypted by data encryption key (DEK) which is encrypted by
ClientID-related storage key;
- TLS certificates for transport encryption;
- special keys for transport encryption if AcraConnector is used with Themis Secure Session — deprecated since 0.91.0, use TLS instead;
- keys for searchable encryption (if used);
- keys for tamper-proof audit logging (if used);
- poison record keys for intrusion detection (if used);
- authentication storage key for encryption/decryption credentials of AcraWebConfig (deprecated since 0.91.0) users (if used).
Acra Master Key is securely stored in key management service (KMS) or hardware security module (HSM). Other keys are encrypted and securely stored in a keystore which is located either on the server’s filesystem, or in a remote key storage database.
Inventory of keys #
Glance through the inventory of Acra keys to learn what cryptographic keys are stored in the keystore, where they are located, and how they are used.
However, just storing the keys securely is not enough. It is crucial to manage the keys and operate with the keystore securely as well. Acra provides tools for many key management operations.
These are typical operations that you will need to perform:
- Generate keys when deploying a new Acra instance.
- Back up keys to prevent accidental data loss.
- Rotate keys to mitigate leaks and ensure continuous security.
- Destroy keys when they are no longer used.
If something goes wrong, please refer to the troubleshooting page for instructions on dealing with common issues.
Additional info #
Refer to NIST key management guidelines (NIST SP 800-57) to learn more about key management procedures.
Feel free to contact us if you need additional assistance.