I am researching Key Management Solutions in order to become PCI compliant. I have spoken to a number of vendors in the arena, and while I like their products, the cost is beyond my budget. Is anyone aware of any open source or low cost solutions for Key Management? I use a Windows/.NET environment, so I would prefer solutions that target that environment, however I would be interested in hearing about anything that is out there.
Thanks
Take a look at KeyManager, which is the key management component of the OpenStack suite. The application can be used as a stand-alone key management solution outside of OpenStack.
Being a component of OpenStack, KeyManager is being actively developed with new features planned on six month cycles.
We had a similar experience as you. We needed a key management solution for PCI compliance and all the commercial products we saw were too expensive. Some key managers cost more than our product for small customers!
We ended up making a software based key manager. We made requirements and offshore developers coded it. At one time they were looking for other customers to use it. I don't know if they still are or not.
Let me explain the options we explored. First thing to remember is that PCI compliance and security are different things, you can be PCI compliant and not very secure.
Option 0 - Assign a key per DB column, and store keys in a DLL file. Your application links in the DLL file to access the keys to encrypt and decrypt the data. No one knows the keys. For periodic key replacement you make a new DLL with new keys, take down time to decrypt all data using old keys and reencrypt data using new keys. Then restart your application using the new DLL with new keys. (Note if you ever consider restoring a DB backup, you need to keep the old keys.)
The first time I heard about Option 0 I was surprised it was PCI compliant. We do not use Option 0.
Ways to improve on Option 0.
If you have an HSM in your environment, use the HSM to encrypt the keys in the DLL file. When your application starts it will decrypt the keys using the HSM. If you want more security, decrypt the keys every time they are needed.
Once your keys are encrypted, it is safe to store them in a DB table. If you assign each key (old and new) a small integer key-id, you can store the key-id with the encrypted data. That lets you do incremental key replacement and avoid down time.
Having your keys in the clear in memory in lots of processes, increases your exposure to a memory scan attack finding the keys. You can create a new process that is the only process that decrypts the keys. Your applications talks to this new process to encrypt and decrypt data. This new process should be on a box with a small "surface area" to protect it. Since sensitive data is going over the network now, this communications should be encrypted. SSL is a good option.
I realize this is an old thread, but there are couple of options:
However, there are many advantages with option #2 as it allows you to leverage Public Clouds while being fully PCI-compliant (search for "Regulatory Compliant Cloud Computing (RC3)" and click on the link at IBM - I can only post two links in my answer) with more announcements about how to leverage this appliance being announced at RSA 2013 in San Francisco.
I hope that helps.
KLMS over KMIP is good and easy to use solution for key management. This is an open source solution written in Java. See the below link for reference. http://www.ibm.com/developerworks/library/se-kmip4j/
The package named stubInterface will contains all the api required to use KLMS over KMIP.
KLMS: Key Lifecycle Management Systems
KMIP: Key Management Interoperability Protocol
SNipeit is the best one I have seen that is open source, very robust, and very easy to use, even for non-techies.
Check it out there.
