Encryption Keys
Yuki enforces comprehensive cryptographic controls across all systems.
Key Requirements
- Keys are rotated at least once every 12 months
- Keys are protected from unauthorized access at every stage of their lifecycle
- Key owners are responsible for managing their encryption keys, with mandatory access controls and regular backups
Key Management Service (KMS)
Yuki's KMS automates:
- Key generation and secure storage
- Access control
- Backup and rotation
User Roles
| Role | Responsibilities |
|---|---|
| Key Access Users | Encryption/decryption, data key generation |
| Key Administrators | Creation, deletion scheduling, rotation policies, usage rules |
Special Protections
Symmetric Encryption Keys During distribution, symmetric keys must be either encrypted with a stronger algorithm or split into portions - each encrypted separately and transmitted via different channels.
Hardware Tokens Smartcards and USB tokens storing keys must not remain connected to computers when idle and cannot travel in the same bag as the computer or device.
Credentials All PINs, passwords, and passphrases protecting keys must meet Yuki's Password Policy standards.
Incident Response
The loss, theft, or potential unauthorized disclosure of any encryption key must be reported immediately. Compromised keys are invalidated upon detection.