Key Management Best Practices
Key Management Best Practices
Proper key management is crucial for maintaining encryption security. Poor key handling can undermine even the strongest encryption algorithms.
Key Generation and Storage:
// iOS - Secure key management
class CryptoKeyManager {
private let keychain = KeychainService()
// Generate and store master key
func setupMasterKey() throws {
let masterKeyTag = "com.app.masterkey"
// Check if master key already exists
if let _ = try? keychain.retrieveKey(tag: masterKeyTag) {
return // Key already exists
}
// Generate new master key
let key = SymmetricKey(size: .bits256)
let keyData = key.withUnsafeBytes { Data($0) }
// Store in Keychain with highest security
try keychain.saveKey(
keyData,
tag: masterKeyTag,
requiresBiometric: true,
accessible: .whenUnlockedThisDeviceOnly
)
}
// Derive keys for specific purposes
func deriveKey(for purpose: String) throws -> SymmetricKey {
let masterKeyTag = "com.app.masterkey"
let masterKeyData = try keychain.retrieveKey(tag: masterKeyTag)
// Use HKDF to derive purpose-specific keys
let salt = purpose.data(using: .utf8)!
let derivedKey = HKDF<SHA256>.deriveKey(
inputKeyMaterial: SymmetricKey(data: masterKeyData),
salt: salt,
info: Data(),
outputByteCount: 32
)
return derivedKey
}
// Key rotation
func rotateKeys() throws {
// 1. Generate new master key
let newMasterKey = SymmetricKey(size: .bits256)
// 2. Re-encrypt all data with new key
try reencryptAllData(with: newMasterKey)
// 3. Store new master key
let masterKeyTag = "com.app.masterkey"
let keyData = newMasterKey.withUnsafeBytes { Data($0) }
try keychain.saveKey(keyData, tag: masterKeyTag)
// 4. Securely delete old key
try keychain.deleteKey(tag: masterKeyTag + ".old")
}
}