All news with #key management tag

🔒 AWS announced the completion of PCI PIN and PCI P2PE assessments for AWS Payment Cryptography, expanding validations to include Key Management (KMCP) and Key Loading (KLCP) alongside the existing Decryption Management (DMCP). The coverage is extended to South America (São Paulo) and Asia Pacific (Sydney) Regions. These attestations allow customers to use PCI PTS HSM-certified, AWS-managed HSMs with compliant key management to simplify regulated deployments.

🔐 AWS announced support for cross-account key sharing in AWS Payment Cryptography using resource-based policies (RBP). Organizations can now maintain a single authoritative copy of cryptographic keys and grant per-resource access to other AWS accounts—internal or external—without import/export workflows. This reduces duplication, simplifies key lineage and access control, and helps teams scale cryptography operations in cloud-hosted payment applications. The feature is available in all Regions where the service runs; consult the user guide to get started.

🔐 AWS Payment Cryptography now offers Physical Key Exchange, a PCI PIN and P2PE-compliant option that enables paper-based cryptographic key exchange without customers having to maintain their own secure key-loading infrastructure. Paper key components are shipped to trained AWS key custodians, who perform key ceremonies in AWS-operated secure facilities meeting the required physical and logical controls. Once loaded, keys are available to the managed service for cryptographic operations, helping organizations accelerate migration when partners do not support electronic key exchange.

🔐 Microsoft is open-sourcing the firmware, drivers, and software stack for the Azure Integrated HSM, a tamper-resistant hardware security module built into new Azure servers and engineered to meet FIPS 140-3 Level 3. The move, announced at the OCP EMEA Summit, includes publishing validation artifacts and launching an OCP workgroup to guide ongoing development. Azure says the HSM protects keys in hardware so they never appear in host or guest memory, reducing classes of exfiltration attacks, and will be available in Azure V7 VMs globally in the coming weeks.

🔐 AWS Payment Cryptography now supports Multi-party approval (MPA) for importing root certificates, adding an extra governance layer to critical key management operations. Organizations using X.509 and PKI with asymmetric keys (RSA, ECC) can require two or more authorized approvers even if the requester holds IAM permissions. The capability integrates with AWS IAM Identity Center so teams can review and act on pending requests through a managed approval portal, and it is available in all regions where the service runs with no additional charge beyond standard API rates.

🔒 AWS Key Management Service (KMS) now surfaces the timestamp, operation type, and AWS CloudTrail event ID for the last cryptographic operation performed with each KMS key, viewable in the console or via API. This eliminates manual log queries and helps administrators and compliance teams quickly identify unused keys, verify active usage, and trace key activity. A new condition key, kms:TrailingDaysWithoutKeyUsage, enables policy-based protection against accidental deletion of recently used keys, and the capability is available in all AWS Regions including GovCloud and China.

🛡️ This AWS Security Blog post demonstrates how to clone an AWS CloudHSM cluster across Regions using the copy-backup-to-region workflow and Client SDK 5 (recommended version 5.17 or later). It walks through creating and initializing a source cluster, generating a backup, copying that backup to a destination Region, and launching a new cluster from the copied backup, including certificate transfer and security group adjustments. The guide emphasizes that non-exportable keys can only be synchronized to cloned clusters, that users and passwords must be maintained manually after the initial backup, and that Client SDK 3 reached end-of-support on January 1, 2025, so migration to SDK 5 is required.

🔐 AWS Payment Cryptography is now available in South America (São Paulo), allowing latency-sensitive payment workloads to run closer to their applications. The fully managed service centralizes payment-specific cryptography and key management and is assessed as PCI PIN and PCI P2PE compliant. Organizations such as acquirers, payment facilitators, networks, switches, processors, and banks can reduce dependence on dedicated payment HSMs and auxiliary data centers. To start, update your AWS CLI/SDK and consult the service user guide for region-specific guidance.

🔒 This post explains how AWS KMS and the AWS Encryption SDK mitigate AES-GCM invocation and data bounds by deriving a fresh symmetric key per encryption using nonce-based KDFs. By producing unique K_d values (via HMAC-SHA256 in KMS and HKDF-SHA512 in the SDK) and using per-invocation IV and frame controls, they prevent (K, IV) reuse and limit exhaustion. Default settings—128- or 256-bit nonces, 96-bit IVs, and 4 KB frames—keep total data and invocation counts well within conservative security margins, reducing the need for manual key rotation and operational tracking.

🔒 US organizations should begin operationalizing post-quantum cryptography now to protect long-lived secrets and meet an emerging 2030 readiness horizon. With NIST finalizing initial PQC standards in 2024 and agencies like NSA and CISA aligning guidance, a pragmatic hybrid strategy—pairing existing classical algorithms (ECDHE/TLS) with post-quantum primitives such as ML-KEM—reduces long-term confidentiality risk while preserving interoperability. Start with a comprehensive crypto inventory tied to data value, pilot internal mTLS, VPN and code-signing migrations in a lab, improve crypto agility, add telemetry for rollout metrics, and add PQC requirements into procurement to buy time and avoid last-minute disruption.

🔐 The article warns that patient adversaries follow a "Harvest Now, Decrypt Later" strategy and urges organizations to begin Post-Quantum Cryptography (PQC) migration immediately to protect long-lived data. It prescribes a five-phase migration framework—Preparation, Diagnosis, Planning, Execution, and Continuous Monitoring—and recommends hybrid deployments to retain compatibility. Practical guidance covers asset inventories, risk prioritization (Mosca's Theorem), vendor engagement, and adopting cryptographic agility with references to ML-KEM, TLS, and NIST/CISA guidance.

🔐 Key management — the lifecycle discipline governing key generation, storage, rotation and destruction — has become the weakest operational link as organizations race toward post-quantum and AI-driven systems. While public debate centers on algorithms, real failures stem from long-lived keys, unclear ownership, manual rotation and untested recovery. AI pipelines and autonomous agents amplify these risks, so teams must adopt short-lived, purpose-bound keys, automated rotation and practiced cryptographic incident response.

🔐 Microsoft has the technical ability to release BitLocker recovery keys to the FBI when presented with appropriate court orders, a capability reportedly exercised roughly twenty times per year. While users can keep recovery keys only on their own devices, Microsoft advises storing them on its servers for convenience. That cloud backup simplifies recovery after lost credentials or device lockouts but also makes keys accessible to law enforcement through subpoenas or warrants.

🔐 Single-tenant Cloud HSM is now generally available in the U.S. and EU, offering dedicated, hardware-enforced key isolation for regulated workloads. It provides FIPS 140-2 Level 3 validated Marvell LiquidSecurity HSMs, quorum-based administration, and the ability to revoke Google access to make keys unavailable. Google manages provisioning and high availability while customers retain root key control and can provision clusters in minutes using gcloud.

🔒 AWS announced successful completion of the PCI PIN audit for AWS CloudHSM. The attestation, conducted by Coalfire, validated CloudHSM on FIPS 140-3 Level 3 hardware with zero findings. The compliance package includes a PCI PIN Attestation of Compliance and a PCI PIN Responsibility Summary to clarify customer obligations. Customers can retrieve reports via AWS Artifact and may consider AWS Payment Cryptography as a managed alternative for PIN operations such as translation.

🔒 AWS announced that AWS Payment Cryptography successfully completed the PCI PIN audit and received an Attestation of Compliance with zero findings. The updated compliance package includes the PCI PIN AOC and a PCI PIN Responsibility Summary that clarifies shared responsibilities for developing and operating secure PIN-handling environments. The attestation confirms use of PCI PTS HSM-certified, fully managed hardware and PCI PIN-compliant key management; reports validated by the QSA Coalfire are available through AWS Artifact.

🔐 This post compares centralized and decentralized approaches to secrets management across four lifecycle domains: creation, storage, rotation, and monitoring. It explains how platform engineering and golden paths can centralize creation to enforce naming, tagging, and least-privilege checks while acknowledging the resource cost and maintenance burden. The article contrasts centralized storage (simplified monitoring but higher cross-account complexity and KMS costs) with storing secrets in workload accounts (better isolation, delegated ownership). Finally, it recommends centralizing auditing and observability while allowing hybrid architectures that balance control, speed, and operational scale.

🔐 The G7 Cyber Expert Group has published a recommended roadmap asking financial firms and public entities to complete transition to post-quantum cryptography (PQC) by 2034 to anticipate future quantum-enabled threats. The non-prescriptive guidance outlines six phased activities from awareness and inventory to migration, testing and validation, with overlapping timelines beginning in 2025. It stresses a risk- and standards-based approach, crypto agility and cross-jurisdiction collaboration to reduce fragmentation and enhance interoperability.

🔐 AWS Payment Cryptography is now available in Asia Pacific (Hyderabad) and Europe (Paris), enabling customers with latency-sensitive payment applications to deploy or migrate cryptographic operations closer to their workloads. The fully managed service simplifies payment-specific cryptographic operations and key management, scales elastically, and is assessed for PCI PIN and PCI P2PE compliance. Organizations can reduce dependence on dedicated payment HSMs and use these regions for additional multi-region high availability.

🔐 AWS Payment Cryptography is now available in the Australia (Sydney) Region and adds AS2805 functionality. The update enables migration of node-to-node payment workloads to an elastic, AWS-managed service that uses PCI-certified HSMs, removing the need for standalone hardware appliances. The service integrates with AWS IAM and AWS CloudTrail and supports standard AWS CLI/SDK tooling to simplify deployment and compliance verification.