Apply key rotation, HSM hardware security, envelope encryption with KMS, HKDF key derivation, and understand PKCS standards for key formats.
0 / 5 completed
1 / 5
What is key rotation and why is it an important security practice?
Key rotation: a key that encrypts years of data is a high-value target — compromise exposes everything. Rotating keys limits the blast radius. Envelope encryption (encrypt data with a data encryption key, encrypt that key with a key encryption key) enables rotation by re-wrapping only the DEK, not re-encrypting all data.
2 / 5
What is an HSM (Hardware Security Module) and what security property does it provide?
HSM: cloud HSMs (AWS CloudHSM, Azure Dedicated HSM) provide FIPS 140-2 Level 3 validated hardware. Cryptographic operations are executed inside the HSM — the host sends data to be signed or encrypted and receives the result, but never the key material. HSMs are required for payment processing (PCI-DSS) and regulated industries.
3 / 5
What is envelope encryption as used in AWS KMS and similar services?
Envelope encryption: you generate a DEK locally, use it to encrypt your data, then call kms.encrypt(DEK) to get a ciphertext DEK. Store the encrypted DEK with your data. To decrypt: call kms.decrypt(encrypted_DEK), use the resulting DEK to decrypt data, then discard the plaintext DEK. The KMS master key never leaves KMS hardware.
4 / 5
What is a Key Derivation Function (KDF) and when is it used instead of a random key?
KDF: HKDF (HMAC-based KDF) takes an input key material and produces keys for different purposes: HKDF(secret, salt, info="encryption") → enc_key, HKDF(secret, salt, info="auth") → mac_key. PBKDF2, bcrypt, and Argon2 are password KDFs that add computational cost to slow brute-force attacks on low-entropy passwords.
5 / 5
What do the PKCS standards define in the context of cryptography?
PKCS standards: PKCS#8 is the standard format for private keys in PEM files (-----BEGIN PRIVATE KEY-----). PKCS#12 (.pfx/.p12) bundles a certificate and private key for import into browsers and servers. PKCS#11 defines the Cryptoki API that applications use to communicate with HSMs from any vendor.