A data analyst is tasked with securing a database containing sensitive customer PII. The analyst has encrypted the database. Which of the following is the MOST secure location for storing the database encryption key?
In a separate, dedicated Hardware Security Module (HSM)
In a different table within the same database instance
In a password-protected file attached to an email sent to the system administrator
In a configuration file on the same server hosting the database
Storing encryption keys in a dedicated Hardware Security Module (HSM) is a security best practice. HSMs are specialized, tamper-resistant devices designed to securely generate, store, and manage cryptographic keys, keeping them isolated from the data they protect. Storing the key in the same database or on the same server, even in a configuration file, creates a single point of failure; if an attacker compromises the server, they gain access to both the encrypted data and the key needed to decrypt it. Emailing the key is highly insecure as email is generally not an end-to-end encrypted or secure storage mechanism.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is it important to separate encryption keys from data?
Open an interactive chat with Bash
What are some secure methods for storing encryption keys?
Open an interactive chat with Bash
What risks are associated with placing encryption keys with sensitive data?