Best practice for encryption key management?

• A. Write keys on sticky notes.
• B. Use default system keys.
• C. Store keys in a secure vault or HSM, separate from data.
• D. Store keys on the same server as data.

Answer: (C)

Managing encryption keys means protecting them in a separate, trusted location designed specifically for key storage and operations. Storing keys in a secure vault or an HSM keeps them in a tamper‑resistant, access‑controlled environment and supports key lifecycle management like generation, rotation, and revocation, plus auditing. This separation ensures that even if the data store is breached, decryption isn’t possible without the keys, and you can track who accessed or used them. In contrast, keys written on sticky notes are easily exposed, default system keys are commonly known and not unique to your setup, and placing keys on the same server as data ties their security to that server’s compromise. Therefore, dedicated secure storage with proper controls and lifecycle management is the best practice.