We use SharePoint to manage project documents. We now have documents that are federal CUI and so must be encrypted. But we have no procedure set up for how to store those keys. Obviously we cannot just keep the keys in the folder with the encrypted files.
I have come up with a few ideas but I am wondering what industry best practices are for this.
Two general categories are
- Store keys somewhere that requires a different set of credentials that those used to access SharePoint (but where?)
- Store keys somewhere on SharePoint with more restricted access using built-in SharePoint permission settings
Who should be allowed to access the keys? Should access be only by online credentials and access control, or should there be a human gatekeeper? I would also expect the keys be separated based on need-to-know, which is generally by project.
(Our SharePoint system is hosted by Microsoft. Microsoft encrypts everything but it’s the type of encryption at the data center level and is transparent to users. It protects against someone hacking into the host’s SharePoint servers and trying to read the database, but it doesn’t protect against someone’s credentials being compromised.)