home.social

#keymanagement — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #keymanagement, aggregated by home.social.

  1. BitLocker keys given to FBI highlight the danger of centralized cloud storage. Encryption without proper key management is security theater. Users must prioritize user-controlled key storage and transparency.

    saysomething.hashnode.dev/micr

  2. Does anyone have good resources on [personal] key management? That is latest blog posts or books on the topic?

    This is things like secure management and backup (SSS?), off-line/dedicated devices, managing many keys due to rotation, etc.

    e.g. If you encrypt old/past keys, even with a secure key, and that key leaks, you need to know where all the encrypted data is to destroy/rewrite it with a new key, so you can't just keep tons of backups.

    #Security #Cryptography #KeyManagement

  3. There is something darkly funny about one of the world's leading cryptography communities having to cancel its own leadership election because a decryption key walked off into the void. Oops. 😬 A failure of governance, key management, and the very human tendency to treat operational tasks as afterthoughts in systems that look elegant on paper.

    The voting system was solid: Helios, with verifiable, privacy-preserving ballots and a split key held by three trustees so that no two people could quietly rewrite the result. Then, everyday life intervened. One slice of key material is "irretrievably lost," and suddenly the only honest option is to throw out the entire election and start over. That's what happens when resilience to human error isn't a part of the threat model.

    The real lesson for CIOs and security leaders is simple: if your system assumes perfect humans, it is already broken. Cryptography gives you strong guarantees right up until someone misplaces a token, fails to back up a shard, or stores a key in the wrong place. Good design assumes keys will be lost, people will be unavailable, and someone will eventually click the wrong button on a bad day.

    This is why key management, recovery procedures, and threshold designs matter more than the logo on your algorithm. Always, always build for messy, imperfect human behavior: clear key ownership, documented handover, tested recovery drills, and quorum-based access that can tolerate one person making a mistake without taking the whole system down. The irony is that the more advanced your cryptography becomes, the more mundane your operational discipline needs to be.

    TL;DR
    🧠 Strong crypto fails fast when key management is weak
    ⚡ One lost key can nullify an entire election
    🎓 Design systems that expect human error, not perfect behavior
    🔍 Treat key governance and recovery as core security, not boring paperwork

    arstechnica.com/security/2025/

    #CyberSecurity #Cryptography #KeyManagement #CIO #security #privacy #cloud #infosec

  4. That said, I am glad that IACR is addressing this "human mistake" by making a "system design change" to a 2-of-3 quorum for the re-run.

    iacr.org/news/item/27138

    #IACR #Cryptography #KeyManagement #InfoSec #OPSEC #Elections

  5. That said, I am glad that IACR is addressing this "human mistake" by making a "system design change" to a 2-of-3 quorum for the re-run.

    iacr.org/news/item/27138

    #IACR #Cryptography #KeyManagement #InfoSec #OPSEC #Elections

  6. That said, I am glad that IACR is addressing this "human mistake" by making a "system design change" to a 2-of-3 quorum for the re-run.

    iacr.org/news/item/27138

    #IACR #Cryptography #KeyManagement #InfoSec #OPSEC #Elections

  7. That said, I am glad that IACR is addressing this "human mistake" by making a "system design change" to a 2-of-3 quorum for the re-run.

    iacr.org/news/item/27138

    #IACR #Cryptography #KeyManagement #InfoSec #OPSEC #Elections

  8. That said, I am glad that IACR is addressing this "human mistake" by making a "system design change" to a 2-of-3 quorum for the re-run.

    iacr.org/news/item/27138

    #IACR #Cryptography #KeyManagement #InfoSec #OPSEC #Elections

  9. Diving into the rabbithole of multi/hybrid cloud environments with regard to encryption, key-management, certificates, IAM etcetera. Big fun 😀
    Always looking for recent and relevant literature on this subject.
    #cloud #iam #encryption #certificates #cybersecurity #keymanagement

  10. The European Union Agency for the Space Program is looking for a Crypto Custodian, implementing and auditing security practices for the Galileo and secure SATCOM programs (GOVSATCOM & IRIS2).

    vacancies.euspa.europa.eu/Jobs

    #OpSec #SATCOM #KeyManagement

  11. The #SMB market lacks affordable, off-the-shelf solutions for encrypted #LTO9 backups. However, there are effective #DIY options if you have basic knowledge of encrypted filesystems and #LTFS. While self-service requires more effort, cloud providers are all vastly more expensive at scale—and often still use the same basic equipment, minus robotic tape libraries and #keymanagement capabilities. You also won't need to trust your cloud provider with secret keys, manage third-party key escrow, or courier physical tapes for large-scale ransomware recovery operations.

    If you don't already have a cost-effective plan for ransomware recovery, it's never too late to start—unless you wait until after your online systems have been compromised, of course. Please don't do that!

  12. The #SMB market lacks affordable, off-the-shelf solutions for encrypted #LTO9 backups. However, there are effective #DIY options if you have basic knowledge of encrypted filesystems and #LTFS. While self-service requires more effort, cloud providers are all vastly more expensive at scale—and often still use the same basic equipment, minus robotic tape libraries and #keymanagement capabilities. You also won't need to trust your cloud provider with secret keys, manage third-party key escrow, or courier physical tapes for large-scale ransomware recovery operations.

    If you don't already have a cost-effective plan for ransomware recovery, it's never too late to start—unless you wait until after your online systems have been compromised, of course. Please don't do that!

  13. The #SMB market lacks affordable, off-the-shelf solutions for encrypted #LTO9 backups. However, there are effective #DIY options if you have basic knowledge of encrypted filesystems and #LTFS. While self-service requires more effort, cloud providers are all vastly more expensive at scale—and often still use the same basic equipment, minus robotic tape libraries and #keymanagement capabilities. You also won't need to trust your cloud provider with secret keys, manage third-party key escrow, or courier physical tapes for large-scale ransomware recovery operations.

    If you don't already have a cost-effective plan for ransomware recovery, it's never too late to start—unless you wait until after your online systems have been compromised, of course. Please don't do that!

  14. The #SMB market lacks affordable, off-the-shelf solutions for encrypted #LTO9 backups. However, there are effective #DIY options if you have basic knowledge of encrypted filesystems and #LTFS. While self-service requires more effort, cloud providers are all vastly more expensive at scale—and often still use the same basic equipment, minus robotic tape libraries and #keymanagement capabilities. You also won't need to trust your cloud provider with secret keys, manage third-party key escrow, or courier physical tapes for large-scale ransomware recovery operations.

    If you don't already have a cost-effective plan for ransomware recovery, it's never too late to start—unless you wait until after your online systems have been compromised, of course. Please don't do that!

  15. JumpCloud Resets API Keys Amid Ongoing Cybersecurity Incident:

    thehackernews.com/2023/07/jump

    My tips for all organizations using any type of static credentials:

    1⃣ Store all API keys/Secrets/passwords in a secrets manager service

    2️⃣ Create a process for key rotation

    3️⃣ Regularly review which keys you have, who used them, and when was the last time the keys were in use

    4️⃣ Revoke unused keys

    #cybersecurity #applicationsecurity #keymanagement

  16. tired: check a key fingerprint manually by cross-checking multiple digits at a time.

    wired: go #crossEyed to see flashing digits.

    #keyManagement #hash #shasum

  17. Security lapse at South Africa’s LogBox exposed user accounts and medical data - LogBox, a South African medical data startup that bills itself as an “absolutely secure” way of repl... more: feedproxy.google.com/~r/Techcr #publickeyinfrastructure #transportlayersecurity #keymanagement #unitedkingdom #cryptography #southafrica #healthtech #physician #president #security #nigeria #africa #ceo

  18. Google, Mozilla team up to block Kazakhstan’s browser spying tactics - Google and Mozilla have taken the rare step of blocking an untrusted certificate issued by the Kazak... more: feedproxy.google.com/~r/Techcr #publickeyinfrastructure #internettraffic #google-chrome #keymanagement #cryptography #webbrowsers #security #internet #software #privacy

  19. I published a new article. Today it's about #WKD #OpenPGP and key discovery. It's split into a part that explains what the current methods are to recieve a public key of someone else and how WKD comes in here, followed by a hands-on part on how to setup WKD for your domain. Hope you enjoy 😉

    #keymanagement #GnuPG #website

    shivering-isles.com/Lets-disco