{
    "slug": "key_management",
    "term": "Key Management & Rotation",
    "category": "security",
    "difficulty": "advanced",
    "short": "The policies and practices for generating, storing, distributing, rotating, and retiring cryptographic keys securely.",
    "long": "Poor key management is responsible for many real-world cryptographic failures despite using strong algorithms. Key management principles include: generate keys using a CSPRNG, never hardcode keys in source code, store keys in a dedicated secrets manager (HashiCorp Vault, AWS KMS, Azure Key Vault), enforce least-privilege access to keys, rotate keys on a regular schedule and immediately after suspected compromise, and maintain key versioning so old data can still be decrypted during rotation. In PHP, use environment variables or a secrets SDK — never php.ini or config files committed to git.",
    "aliases": [
        "secret management",
        "key rotation",
        "cryptographic key management"
    ],
    "tags": [
        "cryptography",
        "devops",
        "secrets",
        "infrastructure"
    ],
    "misconception": "Storing keys in environment variables is fully secure. Env vars are accessible to all processes, sometimes logged by frameworks, and exposed in /proc on Linux. A dedicated secrets manager provides proper access control and audit logging.",
    "why_it_matters": "The strongest encryption is useless if the key is stored alongside the ciphertext or is never rotated — key management is where most cryptographic systems fail in practice.",
    "common_mistakes": [
        "Storing encryption keys in the database alongside the data they protect — breach exposes both.",
        "Hardcoding encryption keys in source code — committed to version control, permanent exposure.",
        "Never rotating keys — a compromised key remains usable indefinitely.",
        "Using a single key for all purposes — one compromised key breaks all encrypted data."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "hmac",
        "weak_cryptography",
        "hardcoded_credentials",
        "openssl_encrypt"
    ],
    "prerequisites": [
        "symmetric_encryption",
        "asymmetric_encryption",
        "secrets_management"
    ],
    "refs": [
        "https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html"
    ],
    "bad_code": "// Key stored next to ciphertext in the same DB table:\n$row = $db->query('SELECT data, encryption_key FROM secrets WHERE id = 1');\n$plaintext = openssl_decrypt($row['data'], 'AES-256-CBC', $row['encryption_key'], ...);",
    "good_code": "// Use a KMS or secrets manager — not plaintext files\n\n// AWS Secrets Manager — fetch at startup, cache in memory\nfunction getSecret(string \\$name): string {\n    static \\$cache = [];\n    return \\$cache[\\$name] ??= fetchFromAws(\\$name); // cached per process\n}\n\n\\$dbPassword = getSecret('prod/db/password');\n\n// Laravel — APP_KEY drives all encryption\n\\$encrypted = Crypt::encryptString(\\$sensitive); // uses APP_KEY\n\n// Key rotation:\n$ php artisan key:generate  // new APP_KEY\n// Re-encrypt existing data with old key before switching\n\n// Hierarchy: master key (in KMS) → data encryption keys → encrypted data\n// Never hardcode keys. Rotate on any suspected exposure.",
    "quick_fix": "Store encryption keys in AWS KMS, HashiCorp Vault, or at minimum environment variables — never in the database next to the data they encrypt, and never in source code",
    "severity": "critical",
    "effort": "high",
    "created": "2026-03-15",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/key_management",
        "html_url": "https://codeclaritylab.com/glossary/key_management",
        "json_url": "https://codeclaritylab.com/glossary/key_management.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Key Management & Rotation](https://codeclaritylab.com/glossary/key_management) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/key_management"
            }
        }
    }
}