< ciso
brief />
Tag Banner

All news with #key management tag

41 articles

Azure Managed HSM external key management preview

🔐 Azure announces public preview of external key management for Managed HSM, enabling customers to keep key material on HSMs they own and operate outside Microsoft infrastructure. The feature connects Azure cryptographic operations to external HSMs via a dedicated API endpoint while keeping keys from ever residing in Azure. It targets scenarios with strict regulatory or contractual data-sovereignty requirements and shifts more operational responsibility to customers.
read more →

Start Post‑Quantum Cryptography with Credentials

🔐 Today’s public-key cryptography faces a future threat from quantum computers that can render intercepted ciphertext and stored credentials decryptable. Agencies like the NSA and standards bodies such as NIST have set Q-day deadlines between 2027 and 2035 to phase in quantum-resistant algorithms, while enterprises face multi-year migrations. A practical approach is credentials-first: inventory secrets, prioritize long-lived, high-impact credentials, adopt hybrid cryptography, and design for crypto-agility to reduce Harvest Now, Decrypt Later risks.
read more →

Amazon Cognito adds customer managed KMS keys

🔐 Amazon Cognito now supports customer managed keys in AWS Key Management Service (KMS) to encrypt user pool data at rest. While AWS-owned keys remain the default, customer managed keys let organizations control key lifecycle and access policies to meet governance requirements. You can set a key when creating a new user pool or update an existing one, and audit key usage via AWS CloudTrail. Available in Essentials and Plus tiers with standard AWS KMS charges.
read more →

XChat launch raises serious privacy and security doubts

🔒 Elon Musk’s XChat launched on iOS in April 2026 as a purportedly private messaging alternative, but its encryption model and key handling have raised alarm among experts. XChat stores users’ private keys on servers protected by HSMs and uses four-digit PINs to encrypt those keys for multi-device sync, a design that undermines classic end-to-end guarantees. Practical issues — message requests sent without E2EE, confusing PIN prompts, and weak brute-force protection — further complicate user security. The net result: XChat offers convenience at the cost of meaningful privacy assurances.
read more →

AWS KMS GetKeyLastUsage improves key audits

🔐 AWS KMS introduced the GetKeyLastUsage API to report the date, time, operation type, CloudTrail event ID, and KMS request ID for the most recent cryptographic operation on a key. The feature works for customer-managed and AWS-managed keys across specs and origins and is visible in the AWS Management Console and AWS CLI. Tracking of last usage began on April 23, 2026 for most Regions, so historical gaps before tracking began should be considered. Use DisableKey, monitoring, and the kms:TrailingDaysWithoutKeyUsage condition to prevent accidental deletions.
read more →

Amazon Quick Research adds customer-managed KMS keys

🔒 Amazon Quick Research now supports encryption using customer-managed keys (CMKs) via AWS Key Management Service, enabling organizations to control encryption, auditing, and key lifecycle. Customers can use multiple CMKs with one default key per AWS account per region and must create CMKs in the same account and region as Quick resources. Only symmetric KMS keys are supported, and CloudTrail integration provides comprehensive audit trails and the ability to revoke compromised keys within 15 minutes. The feature is generally available in all AWS Regions where Amazon Quick is offered.
read more →

Amazon Quick Research adds customer-managed KMS keys

🔐 Amazon Quick Research now supports customer-managed keys (CMKs) via AWS Key Management Service (KMS), enabling organizations to manage encryption keys for their Quick data. Customer-managed keys provide enhanced control, CloudTrail-based auditing, and the ability to revoke compromised keys within 15 minutes. Only symmetric KMS keys created in the same account and region are supported, with one default CMK per account per region and support for multiple CMKs across datasets.
read more →

AWS Payment Cryptography Achieves PCI PIN and P2PE

🔒 AWS announced the completion of PCI PIN and PCI P2PE assessments for AWS Payment Cryptography, expanding validations to include Key Management (KMCP) and Key Loading (KLCP) alongside the existing Decryption Management (DMCP). The coverage is extended to South America (São Paulo) and Asia Pacific (Sydney) Regions. These attestations allow customers to use PCI PTS HSM-certified, AWS-managed HSMs with compliant key management to simplify regulated deployments.
read more →

AWS Payment Cryptography: Cross-Account Key Sharing

🔐 AWS announced support for cross-account key sharing in AWS Payment Cryptography using resource-based policies (RBP). Organizations can now maintain a single authoritative copy of cryptographic keys and grant per-resource access to other AWS accounts—internal or external—without import/export workflows. This reduces duplication, simplifies key lineage and access control, and helps teams scale cryptography operations in cloud-hosted payment applications. The feature is available in all Regions where the service runs; consult the user guide to get started.
read more →

AWS Payment Cryptography: Physical Key Exchange Support

🔐 AWS Payment Cryptography now offers Physical Key Exchange, a PCI PIN and P2PE-compliant option that enables paper-based cryptographic key exchange without customers having to maintain their own secure key-loading infrastructure. Paper key components are shipped to trained AWS key custodians, who perform key ceremonies in AWS-operated secure facilities meeting the required physical and logical controls. Once loaded, keys are available to the managed service for cryptographic operations, helping organizations accelerate migration when partners do not support electronic key exchange.
read more →

Azure Integrated HSM Open-sourced to Increase Trust

🔐 Microsoft is open-sourcing the firmware, drivers, and software stack for the Azure Integrated HSM, a tamper-resistant hardware security module built into new Azure servers and engineered to meet FIPS 140-3 Level 3. The move, announced at the OCP EMEA Summit, includes publishing validation artifacts and launching an OCP workgroup to guide ongoing development. Azure says the HSM protects keys in hardware so they never appear in host or guest memory, reducing classes of exfiltration attacks, and will be available in Azure V7 VMs globally in the coming weeks.
read more →

AWS Payment Cryptography Adds Multi-Party Approval

🔐 AWS Payment Cryptography now supports Multi-party approval (MPA) for importing root certificates, adding an extra governance layer to critical key management operations. Organizations using X.509 and PKI with asymmetric keys (RSA, ECC) can require two or more authorized approvers even if the requester holds IAM permissions. The capability integrates with AWS IAM Identity Center so teams can review and act on pending requests through a managed approval portal, and it is available in all regions where the service runs with no additional charge beyond standard API rates.
read more →

AWS KMS Adds Last-Usage Visibility for Keys Across Regions

🔒 AWS Key Management Service (KMS) now surfaces the timestamp, operation type, and AWS CloudTrail event ID for the last cryptographic operation performed with each KMS key, viewable in the console or via API. This eliminates manual log queries and helps administrators and compliance teams quickly identify unused keys, verify active usage, and trace key activity. A new condition key, kms:TrailingDaysWithoutKeyUsage, enables policy-based protection against accidental deletion of recently used keys, and the capability is available in all AWS Regions including GovCloud and China.
read more →

Cloning AWS CloudHSM Clusters Across Regions Securely

🛡️ This AWS Security Blog post demonstrates how to clone an AWS CloudHSM cluster across Regions using the copy-backup-to-region workflow and Client SDK 5 (recommended version 5.17 or later). It walks through creating and initializing a source cluster, generating a backup, copying that backup to a destination Region, and launching a new cluster from the copied backup, including certificate transfer and security group adjustments. The guide emphasizes that non-exportable keys can only be synchronized to cloned clusters, that users and passwords must be maintained manually after the initial backup, and that Client SDK 3 reached end-of-support on January 1, 2025, so migration to SDK 5 is required.
read more →

AWS Payment Cryptography Now Available in São Paulo

🔐 AWS Payment Cryptography is now available in South America (São Paulo), allowing latency-sensitive payment workloads to run closer to their applications. The fully managed service centralizes payment-specific cryptography and key management and is assessed as PCI PIN and PCI P2PE compliant. Organizations such as acquirers, payment facilitators, networks, switches, processors, and banks can reduce dependence on dedicated payment HSMs and auxiliary data centers. To start, update your AWS CLI/SDK and consult the service user guide for region-specific guidance.
read more →

How AWS KMS and Encryption SDK Avoid AES-GCM Limits

🔒 This post explains how AWS KMS and the AWS Encryption SDK mitigate AES-GCM invocation and data bounds by deriving a fresh symmetric key per encryption using nonce-based KDFs. By producing unique K_d values (via HMAC-SHA256 in KMS and HKDF-SHA512 in the SDK) and using per-invocation IV and frame controls, they prevent (K, IV) reuse and limit exhaustion. Default settings—128- or 256-bit nonces, 96-bit IVs, and 4 KB frames—keep total data and invocation counts well within conservative security margins, reducing the need for manual key rotation and operational tracking.
read more →

Post-Quantum Roadmap for US Enterprises Targeting 2030

🔒 US organizations should begin operationalizing post-quantum cryptography now to protect long-lived secrets and meet an emerging 2030 readiness horizon. With NIST finalizing initial PQC standards in 2024 and agencies like NSA and CISA aligning guidance, a pragmatic hybrid strategy—pairing existing classical algorithms (ECDHE/TLS) with post-quantum primitives such as ML-KEM—reduces long-term confidentiality risk while preserving interoperability. Start with a comprehensive crypto inventory tied to data value, pilot internal mTLS, VPN and code-signing migrations in a lab, improve crypto agility, add telemetry for rollout metrics, and add PQC requirements into procurement to buy time and avoid last-minute disruption.
read more →

Prepare Now for Post-Quantum Cryptography Migration

🔐 The article warns that patient adversaries follow a "Harvest Now, Decrypt Later" strategy and urges organizations to begin Post-Quantum Cryptography (PQC) migration immediately to protect long-lived data. It prescribes a five-phase migration framework—Preparation, Diagnosis, Planning, Execution, and Continuous Monitoring—and recommends hybrid deployments to retain compatibility. Practical guidance covers asset inventories, risk prioritization (Mosca's Theorem), vendor engagement, and adopting cryptographic agility with references to ML-KEM, TLS, and NIST/CISA guidance.
read more →

Why Key Management Is the Weakest Link in Crypto Operations

🔐 Key management — the lifecycle discipline governing key generation, storage, rotation and destruction — has become the weakest operational link as organizations race toward post-quantum and AI-driven systems. While public debate centers on algorithms, real failures stem from long-lived keys, unclear ownership, manual rotation and untested recovery. AI pipelines and autonomous agents amplify these risks, so teams must adopt short-lived, purpose-bound keys, automated rotation and practiced cryptographic incident response.
read more →

Microsoft Provides BitLocker Keys to FBI Under Orders

🔐 Microsoft has the technical ability to release BitLocker recovery keys to the FBI when presented with appropriate court orders, a capability reportedly exercised roughly twenty times per year. While users can keep recovery keys only on their own devices, Microsoft advises storing them on its servers for convenience. That cloud backup simplifies recovery after lost credentials or device lockouts but also makes keys accessible to law enforcement through subpoenas or warrants.
read more →