Knogin
[Gestion]

Encryption Key Management

Argus provides enterprise-grade encryption key management with hardware security module (HSM) protection, automated key rotation, and disaster recovery capabilities.

Metadonnees du module

Argus provides enterprise-grade encryption key management with hardware security module (HSM) protection, automated key rotation, and disaster recovery capabilities.

Retour à la Liste

Reference source

content/modules/security-encryption-key-management.md

Dernière Mise à Jour

5 févr. 2026

Catégorie

Gestion

Checksum du contenu

cdf5a502b9fd78b1

Étiquettes

managementcomplianceblockchain

Documentation rendue

Cette page rend le Markdown et Mermaid du module directement depuis la source publique de documentation.

Overview#

Argus provides enterprise-grade encryption key management with hardware security module (HSM) protection, automated key rotation, and disaster recovery capabilities. The platform ensures that cryptographic keys are generated, stored, and managed according to the highest security standards, protecting your data at rest and in transit while meeting stringent compliance requirements.

Key Features#

  • HSM-Protected Key Generation - All production cryptographic keys are generated within certified hardware security modules, ensuring keys are created with true random number generators and never exist unprotected in software memory.

  • Hierarchical Key Architecture - A multi-tier key hierarchy (master keys, key encryption keys, and data encryption keys) enables efficient key management at scale. Data encryption keys can be rotated without re-encrypting the underlying data.

  • Automated Key Rotation - Configurable rotation schedules automatically generate new key versions with zero-downtime transition periods. Both old and new keys remain valid during the dual-key acceptance window, ensuring continuous operations.

  • Cryptographic Agility - The platform supports migration between encryption algorithms without service interruption, enabling you to adopt stronger cryptographic standards as they emerge or as compliance requirements evolve.

  • Multi-Region Key Distribution - Key material is replicated across multiple geographic regions for high availability, with redundancy that ensures key operations continue even during regional outages.

  • Key Escrow and Disaster Recovery - Multi-party key custody with geographic distribution ensures cryptographic keys can be recovered in disaster scenarios while preventing any single individual from accessing key material alone.

  • Comprehensive Audit Trail - Every key operation is logged with full context, providing the documentation needed for compliance audits and security investigations.

How It Works#

Key Hierarchy#

Argus uses a three-tier key hierarchy to balance security with operational efficiency:

  1. Master Key Encryption Keys (MKEK) - The root of trust, protected within HSMs and never exported. Master keys protect the next tier of keys.

  2. Key Encryption Keys (KEK) - Domain or tenant-specific keys that protect data encryption keys. KEK rotation triggers re-wrapping of protected data keys without touching encrypted data.

  3. Data Encryption Keys (DEK) - Per-resource or per-file keys used for actual data encryption. DEK rotation is efficient because only the key wrapping changes, not the encrypted data.

Key Lifecycle#

Keys progress through a managed lifecycle:

  • Pre-Active - Generated but not yet activated for production use
  • Active - Currently valid for all cryptographic operations
  • Rotating - In transition, with both old and new versions accepting operations
  • Deprecated - Old version after rotation, limited to decryption only
  • Deactivated - Manually disabled but recoverable
  • Destroyed - Securely wiped and irrecoverable

Key Rotation#

The platform supports three rotation strategies:

  • Scheduled Rotation - Automatic rotation on configurable schedules with proactive notifications and dual-key acceptance periods
  • Event-Triggered Rotation - Immediate rotation in response to security incidents, suspected compromise, or regulatory changes
  • On-Demand Rotation - Administrator-initiated rotation for emergencies, with multi-party approval for production keys

Disaster Recovery#

Key recovery is protected by a multi-party custodian model:

  • Designated key custodians are geographically distributed
  • A quorum of custodians is required for key recovery operations
  • Hardware security tokens provide secure share storage
  • Regular recovery drills validate procedures
  • Recovery capabilities range from automatic failover for component failures to custodian-assisted recovery for catastrophic events

Compliance#

Encryption key management supports compliance with:

  • PCI-DSS - Cryptographic key management requirements for cardholder data protection
  • HIPAA - Encryption requirements for protected health information
  • SOC 2 - Cryptographic controls for data confidentiality
  • SOX - Data protection controls for financial information
  • GDPR - Technical measures for personal data protection
  • FedRAMP - Cryptographic requirements for government data

Availability#

  • Enterprise Plan: Full HSM-backed key management included
  • Professional Plan: Platform-managed encryption; HSM integration available as add-on

Last Reviewed: 2026-02-05