Some thoughts on a key management policy

Some thoughts on a key management policy

• only standard algorithms (e.g. AES) are used and that, where possible, products which have received appropriate accreditation are used
• access to cryptographic keys granted strictly on a need to know basis
• ensure that no single person has full knowledge of the encryption keys
• data should be transmitted over a different communication channel than the keys used to govern the cryptographic process
• keys and related keying materials must not be stored anywhere in unencrypted form
• ensure the readable version of any keys are not deleted until receipt and decryption of the encrypted file has been confirmed