Encryption Key Management?

My employer was recently notified that it needed to upgrade it's legacy system to be 'PCI' [in the credit card data protection/privacy sense] compliant.

For example see the Visa's pdf at [link|http://usa.visa.com/download/business/accepting_visa/support_center/cisp_overview.pdf#search=%22visa%20pci%22|http://usa.visa.com/...=%22visa%20pci%22]

Most of the requirements are fairly straightforward [Convert database columns from plain text to [probably] Triple DES encrypted values.

But there are a few open issues,

How to protect and securely distribute the encryption keys?

How to recover the key that matches a particular database backup?

There are several vendors who will sell you a 'magic box' that acts as a key management system. These boxes seem to require other hardware, software and consulting services from the vendor [and have unknown reliability issues].

There is also a 'Symkey' LGPL project on SourceForge [link|http://www.strongkey.org/|http://www.strongkey.org/] - but it is clearly not ready for prime [or any other] time yet.

Has anyone had experiance implementing a key management system?

Post #265,672 by dlevitt 8/23/06 9:47:40 AM Reply	Encryption Key Management? My employer was recently notified that it needed to upgrade it's legacy system to be 'PCI' [in the credit card data protection/privacy sense] compliant. For example see the Visa's pdf at [link\|http://usa.visa.com/download/business/accepting_visa/support_center/cisp_overview.pdf#search=%22visa%20pci%22\|http://usa.visa.com/...=%22visa%20pci%22] Most of the requirements are fairly straightforward [Convert database columns from plain text to [probably] Triple DES encrypted values. But there are a few open issues, How to protect and securely distribute the encryption keys? How to recover the key that matches a particular database backup? There are several vendors who will sell you a 'magic box' that acts as a key management system. These boxes seem to require other hardware, software and consulting services from the vendor [and have unknown reliability issues]. There is also a 'Symkey' LGPL project on SourceForge [link\|http://www.strongkey.org/\|http://www.strongkey.org/] - but it is clearly not ready for prime [or any other] time yet. Has anyone had experiance implementing a key management system?
Post #265,674 by boxley 8/23/06 10:03:03 AM Reply	Key Management Systems what OS are you running? Verisign has a business of key management. thanx, bill Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free american and do not reflect the opinions of any person or company that I have had professional relations with in the past 50 years. meep
Post #265,846 by dlevitt 8/25/06 10:04:56 AM Reply	Re: Key Management Systems Somehow this ended up over in 'M$ is Guilty', it should be in 'Security'. I'll reply over there [and try editing this post to link to the new message]
Post #265,849 by dlevitt 8/25/06 10:19:51 AM Reply	Re: Key Management Systems (new thread) Created as new thread #265848 titled [link\|/forums/render/content/show?contentid=265848\|Re: Key Management Systems]

Welcome to IWETHEY!