Cryptographic Key Management¶
Overview¶
MazeVault implements comprehensive cryptographic key lifecycle management in accordance with NIST SP 800-57 and other security standards. The system supports key generation, storage, distribution, rotation, and secure destruction.
Key Lifecycle (NIST 800-57)¶
| State | Description | Operations |
|---|---|---|
| Pre-active | Key generated, not yet used | Generation, backup |
| Active | Key in active use | Encryption, signing, verification |
| Deactivated | Key retired from active use | Decryption/verification only |
| Compromised | Key potentially compromised | Revocation, replacement |
| Destroyed | Key securely deleted | No operations |
Key Storage¶
Internal Storage¶
All private keys are encrypted using AES-256-GCM before database storage. The encryption key (master key) is derived from server configuration and is never stored in the database.
HSM Integration¶
MazeVault supports Hardware Security Modules for the highest level of key protection:
| HSM Provider | Support | Use Case |
|---|---|---|
| AWS CloudHSM | ✅ | CA key generation and storage |
| Azure Key Vault HSM | ✅ | Managed HSM for CA keys |
| Google Cloud HSM | ✅ | Cloud KMS with HSM backend |
| PKCS#11 | ✅ | On-premise HSM (Thales, Utimaco) |
Remote Key Storage¶
For certificates deployed on remote servers, MazeVault supports two modes:
- Remote Storage — Private key remains on the target server, MazeVault manages only the certificate
- Internal Vault — Private key imported into MazeVault's encrypted storage
Key Rotation¶
Automatic Certificate Rotation¶
Certificates can be automatically renewed with a choice of key policy:
| Policy | Description | Use Case |
|---|---|---|
| Regenerate | New key pair on each renewal | Recommended for production |
| Reuse | Same key with new certificate | For systems with key pinning |
CA Key Rotation¶
Root and subordinate CA keys have longer lifecycles:
- Root CA: 10-20 years
- Subordinate CA: 5-10 years
- End-entity certificate: 90 days - 1 year
Key Distribution¶
Supported Formats¶
| Format | Extension | Use Case |
|---|---|---|
| PEM | .pem, .crt, .key |
Linux/Unix servers, Nginx, Apache |
| DER | .der, .cer |
Windows, Java |
| PKCS#12/PFX | .pfx, .p12 |
Windows, IIS, Java keystores |
| JKS | .jks |
Java applications, WebLogic, Tomcat |
| PKCS#7 | .p7b |
Certificate chains |
Target Systems¶
MazeVault can distribute certificates and keys to:
- Azure Key Vault — Automatic synchronization
- Kubernetes Secrets — TLS secrets for Ingress
- Filesystem — Via MazeVault Agent
- Java Keystores — JKS/PKCS12 via Agent
- Windows Certificate Store — Via Agent
- Oracle Wallet — For database TLS
- IIS — Certificate binding
Compliance Mapping¶
| Regulation | Control | Implementation |
|---|---|---|
| PCI DSS 3.6.1 | Key Generation | Cryptographically secure generator |
| PCI DSS 3.6.3 | Key Distribution | Encrypted transport via mTLS |
| PCI DSS 3.6.4 | Key Rotation | Automatic rotation with configurable interval |
| PCI DSS 3.6.5 | Key Retirement | Deactivation and archival |
| SOC 2 CC6.7 | Transmission Protection | TLS 1.2+ for all communication |
| SOC 2 CC6.8 | Key Rotation | Fully automated |
| NIST 800-57 | Key Lifecycle | All states implemented |
| eIDAS | Qualified Certificates | I.CA and other QTSP support |
Audit Trail¶
All key operations are recorded in the audit log:
- Key generation
- Key export
- Key import
- Key rotation
- Certificate revocation
- Certificate deployment
- Key destruction