Key management encompasses the policies, procedures, and technologies that govern the creation, storage, use, rotation, and retirement of cryptographic keys throughout their lifecycle. In digital identity, proper key management is fundamental to the trust that credentials provide.
Why do keys matter?
Digital identity systems rely on cryptography to establish trust and security. When the DMV signs a mobile driver's license, it uses a private key that only the DMV controls. When you present that credential, your wallet uses a device key unique to your phone. If these keys are compromised, stolen, or mismanaged, the entire trust model collapses.
Key management ensures that keys remain secure, their use is properly controlled, and the system can recover from any compromise.
Public key infrastructure
Digital identity systems use asymmetric cryptography, which relies on mathematically linked key pairs.
Private keys are known only to their owner, the DMV, your wallet, or other authorized parties. They must be protected with extreme care because anyone with the private key can sign credentials or authenticate as that entity.
Public keys can be shared freely and are used to verify signatures created by the corresponding private key. Verifiers use issuers' public keys to verify the authenticity of credentials.
The infrastructure that manages these relationships, issuing certificates, maintaining trust hierarchies, and publishing public keys, is called public key infrastructure (PKI).
Hardware security modules
For high-value keys, such as those used by DMVs to sign credentials, protection must be extraordinary. Hardware security modules (HSMs) are tamper-resistant devices explicitly designed for this purpose.
HSMs store private keys, perform encryption and signing operations, and provide physical protection against tampering. At the highest security levels, they can detect physical intrusion attempts and automatically erase keys before they can be extracted.
Federal agencies require HSM compliance with FIPS 140-3 for sensitive identity systems. This standard defines security requirements for cryptographic modules across multiple levels.
Layered key architecture
DMVs and other issuers typically employ layered key structures to strike a balance between security and operational needs.
A root key, secured in the highest-grade HSM, sits at the top of the trust hierarchy. This key is used sparingly, perhaps only to authorize other keys, and is protected with the most stringent controls.
Document signer keys are authorized by the root key and are responsible for issuing day-to-day credentials. These keys are rotated frequently, sometimes every 30 days, to limit exposure if one is compromised.
This separation of duties keeps the root key highly protected while enabling issuance at scale.
Device key management
On the holder side, device keys are generated and protected using the phone’s hardware-backed security (such as a Secure Enclave or secure element, depending on platform). These keys bind credentials to specific devices, preventing them from being copied or transferred.
When a device is lost, compromised, or replaced, the holder needs a path to recover. This typically means re-authenticating with the issuer and obtaining a new credential bound to a new device key. The old credential can be revoked to prevent misuse.
Key rotation and recovery
Keys don't last forever. They may be rotated on schedule to limit exposure windows, retired when hardware is decommissioned, or revoked if compromise is suspected.
Well-designed systems plan for key lifecycle events from the start. What happens when a signer key expires? How is a new root key established if the old one is compromised? How do holders recover when they lose access to their device keys?
These questions must be answered before deployment, not after a crisis has occurred.
State control over trust anchors
For government identity programs, a critical principle is that control of the public key infrastructure, especially root trust anchors, should remain under the issuing authority’s governance and control (e.g., the state), rather than being solely controlled by an external vendor, preserving accountability and preventing unilateral control of the ecosystem.
Want to keep learning?
Subscribe to our blog.
