Private keys vaulted
Demonstrate that all private keys and cryptographic secrets are stored exclusively in hardened secrets management vaults with enforced access controls, encryption, and comprehensive audit logging.
Description
What this control does
Private keys vaulted is a control requiring all cryptographic private keys—including TLS/SSL certificates, SSH keys, code-signing keys, API keys, and encryption keys—to be stored in dedicated secrets management systems (vaults) with access controls, encryption at rest, and audit logging. Keys must not reside in source code repositories, configuration files, unencrypted file systems, or developer workstations. This control ensures keys are centrally managed, rotated, and protected from unauthorized access or exfiltration, reducing the attack surface for credential compromise.
Control objective
What auditing this proves
Demonstrate that all private keys and cryptographic secrets are stored exclusively in hardened secrets management vaults with enforced access controls, encryption, and comprehensive audit logging.
Associated risks
Risks this control addresses
- Unauthorized access to private keys stored in plain text on file systems or application servers, enabling impersonation or data decryption
- Exposure of embedded keys in source code repositories leading to credential leakage via version control history or public repository disclosure
- Lateral movement by attackers who extract keys from compromised developer workstations or CI/CD pipeline environments
- Inability to rotate or revoke compromised keys due to lack of centralized inventory and management
- Privilege escalation through harvesting of SSH private keys or service account credentials stored in unprotected locations
- Data breach resulting from stolen encryption keys used to decrypt sensitive customer or financial information
- Supply chain attacks where adversaries inject malicious code by obtaining code-signing private keys from insecure storage
Testing procedure
How an auditor verifies this control
- Obtain an inventory of all systems, applications, services, and infrastructure components that utilize cryptographic private keys or secrets.
- Identify and document all approved secrets management vaults in use (e.g., HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, CyberArk).
- Review vault configuration settings to verify encryption at rest is enabled, access is controlled via role-based policies, and audit logging is active.
- Scan a representative sample of application configuration files, environment variable definitions, and containerized deployments for hardcoded private keys or secrets.
- Query source code repositories for historical commits containing private key patterns using secret scanning tools or manual keyword searches (e.g., 'BEGIN PRIVATE KEY', 'BEGIN RSA PRIVATE KEY').
- Inspect file system permissions on application servers and developer workstations for private key files stored outside the vault (e.g., ~/.ssh/, /etc/ssl/private/).
- Review vault access logs for the sample period to verify key retrieval events are logged with user identity, timestamp, and resource identifiers.
- Interview developers and operations personnel to confirm awareness of the private key storage policy and validate no shadow key storage practices exist.
Where this control is tested