Key management is a major source of risk, but Tink has built-in support for industry-leading options to help you secure your keys. Tink also features a command line utility called Tinkey, which helps you generate keys and work with Tink keysets.
We recommend using an external Key Management System (KMS) like Google Cloud KMS or AWS KMS to protect your Tink-generated keys. Once you choose a primitive and key type for your use case, you should do the following:
- Create a key in your external KMS.
- Get a key URI and credentials you can pass to Tink.
Then, you can use Tink’s APIs or Tinkey to encrypt your Tink keys whenever you generate them. Once your keys are encrypted, you can store them wherever you want.