Managing system encryption keys

CyberArk Trust Protection Foundation™ maintains all system information—that is, configuration settings, managed server and certificate information, credentials, archived certificates and private keys—in a database. To secure this information, Trust Protection Foundation uses either a software encryption key or a hardware encryption key on a supported HSM device to encrypt the information used to connect to the database.

To secure the encryption assets within the database, Trust Protection Foundation also encrypts sensitive information such as certificate private keys, Credential objects, and SSH keys. Trust Protection Foundation uses the encryption key to secure encryption assets within the database.

HSM integration options

Trust Protection Foundation offers three types of HSM integration for enhanced key security:

• System encryption keys: Use an HSM to protect the master encryption key that secures data at rest in the database
• Central key generation: Use an HSM to generate certificate private keys with hardware-based entropy, where Trust Protection Foundation exports and stores the key (requires Advanced Key Protect)
• Remote key generation: Use an HSM to generate and store certificate private keys that never leave the HSM (requires Advanced Key Protect)

For information about central and remote key generation, see Advanced Key Protect.