A security architect at a regulated financial institution is implementing a mitigation to ensure that no single administrator can decrypt the database's master encryption key. The master key is divided into two 512-bit components that are written to separate smart cards. Because each component is mathematically useless on its own, the hardware security module can only reconstruct and use the full key when both cards are presented. Which mitigation strategy, as defined in the CompTIA Server+ objectives, does this design implement?
Dividing a cryptographic secret into multiple independent parts that must be brought together before the secret can be used is the hallmark of the split encryption keys tokens mitigation. Each custodian holds a key fragment that conveys no knowledge of the complete key, so a malicious insider acting alone cannot gain decryption capability.
Two-person integrity also involves dual participation, but it focuses on the simultaneous presence of two authorized people to oversee a sensitive task; it does not necessarily require the cryptographic key itself to be mathematically split. A SIEM provides centralized log collection, correlation, and alerting rather than enforcing access to encryption keys. Data loss prevention controls watch for and block the exfiltration of sensitive data but likewise do not control how an encryption key is reconstructed. Therefore, only the split-key approach matches the scenario.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is dividing encryption keys into separate components more secure?
Open an interactive chat with Bash
How does split encryption differ from two-person integrity?
Open an interactive chat with Bash
What are the roles of smart cards in split encryption keys tokens?