Hello,

I've already had an answer to this but didn't like it so thought I'd try rephrasing the question slightly to try and get the answer I want!

If data encryption keys are encrypted themselves and backed up onto tape (or whatever) do they need to be destroyed when the key is destroyed at the end of its life?

If so how do you destroy things that are on back up tapes?

Thanks,
Patrick

Good question and you point out something to which there is no one "compliant" response, but one where there may be multiple correct answers.

First, let's recap a couple of other conversations:
* Conversation/debate on key management (http://www.pcifile.org/phpBB2/viewtopic.php?t=116)
* Different methods of encrypting data (http://pcianswers.com/2006/08/09/methods-of-encrypting-data/)
* Information on the dual-control and split-knowledge (http://pcianswers.com/2006/09/03/dual-control-split-knowledge/)

Ok, got that out of the way.

If your data encryption key (DEK) is encrypted with your key encryption key (KEK) then it should be considered secure. You can back it up and not have to worry about it too much as long as the backup tapes are physically secured.

I would say the DEK does not need to be "destroyed" after it is no longer in use because (1) it may still be required to decrypt data that was encrypted under it and (2) because it is secured physically and offline. There is little risk to the key and thus the data, especially if it is encrypted with a KEK.

Thanks sfoak. The PCI:DSS std is such a nice thin spec but everytime I look a little deeper into a requiement it just gets bigger and bigger. I haven't enjoyed work this much for a long time!

If a key is well encrypted with a good symmetric algorithm (3DES, AES), and you destroy the encryption key, this is generally accepted as being as good as destroying the encrypted key as well. Brute forcing of the key space for a (random) 3DES or AES key is well beyond any existing or theoretical, classical computing power. With existing knowledge and algorithms, a 256 bit AES key is beyond the capabilities of projected non-classical (ie quantum) computing systems.

If you're encrypting the key with an asymmetric algorithm (eg RSA) then things are a bit messier.