A data analyst is tasked with securing a database containing sensitive customer PII. The analyst has encrypted the database. Which of the following is the MOST secure location for storing the database encryption key?
In a different table within the same database instance
In a configuration file on the same server hosting the database
In a separate, dedicated Hardware Security Module (HSM)
In a password-protected file attached to an email sent to the system administrator
Storing encryption keys in a dedicated Hardware Security Module (HSM) is a security best practice. HSMs are specialized, tamper-resistant devices designed to securely generate, store, and manage cryptographic keys, keeping them isolated from the data they protect. Storing the key in the same database or on the same server, even in a configuration file, creates a single point of failure; if an attacker compromises the server, they gain access to both the encrypted data and the key needed to decrypt it. Emailing the key is highly insecure as email is generally not an end-to-end encrypted or secure storage mechanism.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an HSM (Hardware Security Module)?
Open an interactive chat with Bash
Why is storing the encryption key on the same server as the database less secure?
Open an interactive chat with Bash
What are some best practices for managing encryption keys?