Gartner Research

Effective Encryption Key Management

Published: 22 January 2014

ID: G00258184

Analyst(s): Erik Heidt


Enterprises should focus on establishing centralized governance and oversight over key management operations while having cryptographic operations performed by teams with appropriate technical skills. Incremental governance and process improvements often outperform grandiose "enterprise" solutions.

Table Of Contents

Summary of Findings


  • The Use of the Word "Key" in This Document
  • Objectives of Key Management
    • Achieving Expected Security Objectives
    • Avoid Disruptions to Systems and Operations
  • Enterprise Key Management
  • What It Means to "Manage" Enterprise Cryptography and Keys
    • Summary of Key Management Issues
    • Cryptography Management Hierarchy
    • Key Management and Access Management
    • Cryptography Management and Configuration Management
  • Customer Use Cases, Vendors and the Role of Standards
    • Cryptography Silos and Customer Use Cases
  • Creating a Cryptography and Key Management Practice
    • Defining Cryptographic Management Policies and Standards
    • Establishing Operational Management and Compliance Procedures
    • Evaluating Cryptographic Technology and Management Solutions
  • A Note on Operational and Architectural Security
  • Strengths
  • Weaknesses
  • Governance and Oversight
  • Do Not Make Perfection the Enemy of Better
  • Evaluate and Implement Key Management Capabilities
  • Develop a Cryptography Strategy
  • View Key Management as a Practice, Not a Technology
  • Know Your Cryptography and Artifacts
  • Design for Appropriate Security and Availability Levels
  • Make Accountability a Critical Security Objective
  • Pay Special Attention to Recoverability of Encryption Keys
  • Create Solution-Specific Standards and Processes

The Details

  • The Importance of Managing Cryptographic Keys and Other Artifacts
    • The Nature and Life Cycle of Cryptographic Artifacts
    • Relating Confidentiality, Integrity and Availability Objectives of Data to Keys
    • Nonrepudiation Objectives May Require Special Key Handling
    • Accountability Is a Critical Objective in Key Management
    • Identifying Which Keys and Artifacts in the Hierarchy to Manage
  • Key Management in High-Assurance Environments

Gartner Recommended Reading

©2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see Guiding Principles on Independence and Objectivity.

Already have a Gartner Account?

Become a client

Learn how to access this content as a Gartner client.