Best practice for storing encryption keys

We use SharePoint to manage project documents. We now have documents that are federal CUI and so must be encrypted. But we have no procedure set up for how to store those keys. Obviously we cannot just keep the keys in the folder with the encrypted files.

I have come up with a few ideas but I am wondering what industry best practices are for this.

Two general categories are

  1. Store keys somewhere that requires a different set of credentials that those used to access SharePoint (but where?)
  2. Store keys somewhere on SharePoint with more restricted access using built-in SharePoint permission settings

Who should be allowed to access the keys? Should access be only by online credentials and access control, or should there be a human gatekeeper? I would also expect the keys be separated based on need-to-know, which is generally by project.

(Our SharePoint system is hosted by Microsoft. Microsoft encrypts everything but it’s the type of encryption at the data center level and is transparent to users. It protects against someone hacking into the host’s SharePoint servers and trying to read the database, but it doesn’t protect against someone’s credentials being compromised.)

Will an additional layer solve this problem? Seems like the additional layer will also have authorization based on the same users credentials.

Is this SharePoint in Office 365 or your own install of SharePoint?

Take a look at Azure Key Vault

We are using Microsoft-hosted SharePoint. I will look at Azure Key Vault, thanks.