Last modified: March 14, 2025

Policy No. 4204 Encryption Procedure

Download Encryption Procedure Document

Overview

The purpose of this procedure is to provide guidance that limits the use of encryption to those algorithms that have received substantial public review and have been proven to work effectively. Additionally, this procedure provides direction to ensure that Federal regulations are followed, and legal authority is granted for the dissemination and use of encryption technologies outside of the United States.

Encryption Key Management, if not done properly, can lead to compromise and disclosure of private keys used to secure sensitive data, thereby compromising the data. While users may understand the importance of encrypting certain documents and electronic communications, they may not be familiar with minimum standards for protecting encryption keys.

Purpose

This procedure outlines the requirements for protecting encryption keys that are under the control of end users. These requirements are designed to prevent unauthorized disclosure and subsequent fraudulent use. The protection methods outlined include operational and technical controls, such as key backup procedures, encryption under a separate key, and the use of tamper-resistant hardware.

Scope

This procedure applies to any encryption keys listed below and to the person responsible for an encryption key. The encryption keys covered by this procedure are:

Encryption keys issued by PCSD
Encryption keys used for PCSD business
Encryption keys used to protect data owned by PCSD

Public keys contained in digital certificates are specifically exempted from this procedure.

Procedure

All encryption keys covered by this procedure must be protected to prevent unauthorized disclosure and subsequent fraudulent use.

Secret Key Encryption Keys

Keys used for secret key encryption, also called symmetric cryptography, must be protected as they are distributed to all parties that will use them.
During distribution, symmetric encryption keys must be encrypted using a stronger algorithm with the longest key length authorized in PCSD’s Acceptable Encryption Procedure.
If the keys are for the strongest algorithm, then the key must be split, each portion encrypted with a different key, and transmitted using different mechanisms.
Symmetric encryption keys, when at rest, must be protected with security measures at least as stringent as the measures used for distribution.

Public Key Encryption Keys

Public key cryptography, or asymmetric cryptography, uses public-private key pairs.
The public key is included in the digital certificate issued to the end user, while the private key must only be available to the assigned end user.

PCSD’s Public Key Infrastructure (PKI) Keys

The public-private key pairs used by PCSD’s PKI are generated on a tamper-resistant smart card issued to an individual end user.
The private key for identity certificates used for digital signatures will never leave the smart card.
The private key for encryption certificates must be escrowed in compliance with PCSD policies.
Access to private keys stored on a PCSD-issued smart card will be protected by a PIN known only to the cardholder.

Other Public Key Encryption Keys

Other keys may be generated in software on the end user’s computer and stored on a hard drive or hardware token.
If generated on a smart card, they follow the same protection requirements as PKI private keys.
If generated in software, users must create and securely store at least one backup and escrow copy.

Commercial or Outside Organization Public Key Infrastructure (PKI) Keys

In working with business partners, end users may use public-private key pairs stored in software-generated files on their hard drive.
Private keys are only protected by the strength of the user-chosen password.
Web browsers storing private keys must require a password entry each time a private key is accessed.

PGP Key Pairs

PGP public-private key pairs may be stored in key ring files on a computer hard drive or a hardware token (e.g., USB drive or smart card).
PGP must be configured to require entering the passphrase for every use of the private key.

Hardware Token Storage

Hardware tokens storing encryption keys will be treated as sensitive equipment per PCSD’s Physical Security procedure.
Tokens, smart cards, and USB tokens must not be left connected to a computer when not in use.
When traveling, users must store hardware tokens separately from their computer.

PINs, Passwords, and Passphrases

All PINs, passwords, or passphrases used to protect encryption keys must meet the complexity and length requirements in the PCSD Password Procedure.

Loss and Theft

Loss, theft, or potential unauthorized disclosure of encryption keys must be reported immediately to the InfoSec Team.
InfoSec personnel will guide users through required actions such as certificate revocation.

Key Agreement and Authentication

Key exchanges must use one of the following cryptographic protocols:
- Diffie-Hellman
- IKE
- Elliptic Curve Diffie-Hellman (ECDH)
Endpoints must be authenticated before key exchange.
Public keys used to establish trust must be authenticated before use.
All authentication servers (e.g., RADIUS or TACACS) must use a valid certificate from a trusted provider.
All servers and applications using SSL or TLS must have certificates signed by a trusted provider.

Definitions and Terms

The following definitions and terms can be found in the SANS Glossary:

Certificate authority (CA)
Digital certificate
Digital signature
Key escrow
Plaintext
Public key cryptography
Public key pairs
Symmetric cryptography

Last Update Status:

Updated January 2015