The cryptography register documents all cryptographic keys and certificates in your organisation — including algorithm, key length, expiry date and rotation cycle. Without this register, you cannot tell which systems are affected when a key is compromised or expires.
ISO 27001 A.8.24 (Use of Cryptography) requires that rules for the use of cryptography are defined and implemented — including key management. The register is the operational tool that keeps you in control.
What does it contain?
Each row represents one cryptographic key or certificate. The columns:
- Key ID / Purpose — unique identifier and use case (e.g. TLS wildcard, database encryption, code signing)
- Algorithm / Key Length — algorithm in use (RSA, AES, Ed25519) and key length
- Owner / System — responsible person and the system where the key is deployed
- Created / Expiry / Rotation Interval — creation date, expiry date and planned rotation cadence
- Storage / Backup / Status — storage location, backup method and current status
How to use it
Initial population: Inventory all active keys and certificates. Start with TLS certificates (publicly visible, easy to find) and then work through internal encryption keys, SSH keys and code-signing certificates.
Ongoing maintenance: With every key rotation, renewal or new issuance, update the register. Expired or revoked keys stay in the register (status: Expired/Revoked) — this keeps the lifecycle traceable.
Regular review: Once a quarter, check which keys expire within the next 90 days and schedule renewals. At the same time, verify that the algorithms and key lengths in use still meet current best practice.
| Schlüssel-ID | Zweck | Algorithmus | Schlüssellänge | Eigentümer | System | Erstellt | Ablauf | Rotationsintervall | Speicherung | Backup | Status |
|---|---|---|---|---|---|---|---|---|---|---|---|
| KEY-001 | TLS Wildcard *.nordwind-logistics.com | RSA | 2048 | IT-Betriebsleitung | Nginx Frontend | 2025-09-01 | 2026-09-01 | 12 Monate | Let's Encrypt ACME | N/A | Aktiv |
| KEY-002 | TLS api.nordwind-logistics.com | ECDSA P-256 | 256 | IT-Betriebsleitung | API-Gateway | 2025-10-15 | 2026-10-15 | 12 Monate | Let's Encrypt ACME | N/A | Aktiv |
| KEY-003 | Datenbankverschlüsselung im Ruhezustand (Kunden-DB) | AES-GCM | 256 | IT-Betriebsleitung | PostgreSQL RDS | 2024-04-01 | N/A | 24 Monate | AWS KMS CMK | KMS Multi-Region | Aktiv |
| KEY-004 | Backup-Verschlüsselung | AES-GCM | 256 | IT-Betriebsleitung | Veeam Repository | 2024-01-10 | N/A | 24 Monate | HSM | Offsite HSM | Aktiv |
| KEY-005 | S/MIME E-Mail-Signatur ISB | RSA | 4096 | ISB | M365 Outlook | 2025-06-01 | 2028-06-01 | 36 Monate | Smartcard | N/A | Aktiv |
| KEY-006 | Code-Signing-Zertifikat | RSA | 3072 | Head of Engineering | CI-Pipeline | 2025-02-01 | 2027-02-01 | 24 Monate | HSM | HSM-Backup | Aktiv |
| KEY-007 | SSH-Host-Schlüssel Prod-Cluster | Ed25519 | 256 | IT-Betriebsleitung | Linux-Server | 2024-11-01 | N/A | 36 Monate | Host-Dateisystem | Config Management | Aktiv |
| KEY-008 | VPN Pre-Shared Key | N/A | N/A | IT-Betriebsleitung | VPN-Gateway | 2025-08-01 | 2026-08-01 | 12 Monate | Passwortmanager | Sicherer Tresor | Aktiv |
| KEY-009 | Festplattenverschlüsselung Recovery-Schlüssel (Flotte) | AES | 256 | IT-Betriebsleitung | BitLocker / FileVault | Fortlaufend | N/A | Pro Gerät | MDM-Escrow | MDM-Backup | Aktiv |
| KEY-010 | Datenbank-Backup AES-Schlüssel (Archiv) | AES-CBC | 256 | IT-Betriebsleitung | S3-Archiv | 2024-01-01 | 2027-01-01 | 36 Monate | AWS KMS | KMS Multi-Region | Aktiv |
| Key ID | Purpose | Algorithm | Key Length | Owner | System | Created | Expiry | Rotation Interval | Storage | Backup | Status |
|---|---|---|---|---|---|---|---|---|---|---|---|
| KEY-001 | TLS wildcard *.nordwind-logistics.com | RSA | 2048 | IT Operations Lead | Nginx frontend | 2025-09-01 | 2026-09-01 | 12 months | Let's Encrypt ACME | N/A | Active |
| KEY-002 | TLS api.nordwind-logistics.com | ECDSA P-256 | 256 | IT Operations Lead | API gateway | 2025-10-15 | 2026-10-15 | 12 months | Let's Encrypt ACME | N/A | Active |
| KEY-003 | Database encryption at rest (Customer DB) | AES-GCM | 256 | IT Operations Lead | PostgreSQL RDS | 2024-04-01 | N/A | 24 months | AWS KMS CMK | KMS multi-region | Active |
| KEY-004 | Backup encryption | AES-GCM | 256 | IT Operations Lead | Veeam repository | 2024-01-10 | N/A | 24 months | HSM | Offsite HSM | Active |
| KEY-005 | S/MIME email signing ISO | RSA | 4096 | ISO | M365 Outlook | 2025-06-01 | 2028-06-01 | 36 months | Smartcard | N/A | Active |
| KEY-006 | Code signing certificate | RSA | 3072 | Head of Engineering | CI pipeline | 2025-02-01 | 2027-02-01 | 24 months | HSM | HSM backup | Active |
| KEY-007 | SSH host keys prod cluster | Ed25519 | 256 | IT Operations Lead | Linux servers | 2024-11-01 | N/A | 36 months | Host filesystem | Config mgmt | Active |
| KEY-008 | VPN pre-shared key | N/A | N/A | IT Operations Lead | VPN gateway | 2025-08-01 | 2026-08-01 | 12 months | Password manager | Secure vault | Active |
| KEY-009 | Disk encryption recovery keys (fleet) | AES | 256 | IT Operations Lead | BitLocker / FileVault | Continuous | N/A | Per device | MDM escrow | MDM backup | Active |
| KEY-010 | Database backup AES key (archive) | AES-CBC | 256 | IT Operations Lead | S3 archive | 2024-01-01 | 2027-01-01 | 36 months | AWS KMS | KMS multi-region | Active |
Sources
- ISO/IEC 27001:2022 A.8.24 — Use of Cryptography
- BSI TR-02102 — Cryptographic Algorithms: Recommendations and Key Lengths
- NIST SP 800-57 — Recommendation for Key Management