The IT Law Wiki


Key management (also cryptographic key management or CKM) is

[t]he activities involving the handling of cryptographic keys and other related security parameters (e.g., initialization vectors and passwords) during the entire life cycle of the keys, including their generation, storage, establishment, entry and output, and zeroization.[1]
[t]he generation, storage, distribution, deletion, archiving and application of keys in accordance with a security policy.[2]


It is required when using cryptography to assure that one or more cryptographic keys are properly generated, that they are distributed where they are needed for cryptographic processing, and that they are stored securely so they are available when needed and not disclosed to unauthorized users or processes.

Key management has been identified as a major component of national cybersecurity initiatives that address the protection of information processing applications. Key management is needed for e-commerce, banking, air traffic control, the aerospace industry, defense, emergency first responders, the health care industry, the Internet (routing, DNSSEC, etc.), citizens and consumers.

Numerous problems have been identified in current key management methodologies, including the lack of guidance, inadequate scalability of the methods used to distribute keys and user dissatisfaction because of the "unfriendliness" of these methods.


  1. FIPS 140-2.
  2. ITU, "Compendium of Approved ITU-T Security Definitizons," at 24 (Feb. 2003 ed.) (full-text).

See also[]