Key management overview

Improper key management is a major source of risk. To address this risk, Tink offers:

  • Built-in support for industry-leading Key Management Systems (KMS) to help you secure your keys (Google Cloud KMS, AWS KMS, or HashiCorp Vault).
  • A command line utility called Tinkey, which helps you generate keys and work with Tink keysets.

Concretely, after you have selected a primitive and key type for your use case (in the preceding I want to... section), follow these steps to manage your keys:

  1. Use the external Key Management System (KMS) you selected in step 2 to protect your Tink-generated keys by:

  2. Use Tink's APIs or Tinkey to generate an encrypted keyset. After your keys have been encrypted, you can store them wherever you want.

  3. Rotate your keys to avoid the risk of extensively reusing your keys.