Advanced Encryption Standard (AES) is a symmetric encryption algorithm that secures data in applications like video streaming, file encryption, and secure communications. AES key management maintains data confidentiality and protects keys from unauthorized access or misuse. Implementing key management practices ensures that encryption keys are handled in a secure way throughout their lifecycle.
AES Key Management Practices
Key Generation
AES key generation supports 128, 192, and 256-bit key sizes. You must create keys using Secure Pseudorandom Number Generators (CSPRNGs) to prevent predictability and weak keys. The security of AES encryption depends on the randomness and entropy of the generated keys.
Key Storage
AES keys should be stored within Hardware Security Modules (HSMs), Key Management Systems (KMS), or encrypted databases. Avoid storing keys in plaintext or unsecured locations. Apply encryption of stored keys and physical security measures to prevent unauthorized access.
Access Control
Limit the access to AES keys to authorized users and systems through role-based access control (RBAC). Policies should segregate duties so that no single individual controls all key management activities, such as generating, storing, and using them.
Key Expiry
Key expiration policies must retire AES keys after a predefined operational period to limit the key’s exposure. So, you must remove the expired keys from active use to prevent any unauthorized decryption.
Backup and Recovery
AES key backups must be encrypted with a separate master key and stored in secure environments such as encrypted cloud repositories. Use recovery procedures with strict authentication and authorization controls (such as multi-factor authentication) to restrict access to keys.
Compliance and Auditing
AES key management practices must align with standards (like FIPS 140-2) and regulations (such as GDPR). Conduct regular audits to detect vulnerabilities and adhere to policies. Comprehensive logging of key lifecycle events (including creation, usage, and destruction) is required. Establish real-time monitoring and alerting mechanisms to identify unauthorized access attempts or suspicious activities.
Key Compromise Response and Revocation Procedures
Immediate Response to Key Compromise
Identify the scope of any possible compromise. If the affected key is used for content encryption in a streaming pipeline, determine which content segments, streams, or user sessions are affected. Audit logs from the KMS or HSM should show key access timestamps, access origin, and associated client identifiers. Once a suspicious pattern is confirmed, flag the compromised key as inactive or revoked in the KMS.
If you are using AWS KMS or Google Cloud KMS, disable the key version or set its status to DISABLED immediately:
# AWS CLI example
aws kms disable-key --key-id <key-id>While disabling the key prevents further use, it does not retroactively protect previously encrypted content. That’s where re-encryption comes in.
Re-encrypting and Rotating Compromised Keys
All data encrypted with the compromised key must be re-encrypted using a new key. You must first generate a new AES key using a CSPRNG, then decrypt affected data using the old key and re-encrypt it with a new one.
For large content libraries like VOD assets, automate this using packaging tools integrated with your KMS. For example, in a media workflow, you can use Shaka Packager or FFmpeg with a Vault plugin or AWS SDK to re-encrypt in place or to a new location.
# Sample re-packaging with a new key (Shaka Packager)
packager \
input=video_old.mp4,stream=video,output=video_new_encrypted.mp4 \
--enable_raw_key_encryption \
--keys label=HD:key_id=<new_key_id>:key=<new_key> \
--protection_scheme=cenc
In live streaming workflows, rotate segment encryption keys by modifying your packaging system’s encryption config. Most AES-128 live pipelines allow for per-segment key rotation with external key fetch URLs.