Glossary

[ KEK ] PAYMENT CRYPTOGRAPHY

KEK — Key Encryption Key

Any cryptographic key whose sole purpose is to protect other keys (working keys, session keys, transport keys) during storage or transmission. Forms the foundation of hierarchical key management.

Standard:
NIST SP 800-57 / ISO 11568
Origin:
NIST / ISO

What is a Key Encryption Key?

A Key Encryption Key (KEK) is a cryptographic key dedicated to encrypting other keys, never user data. KEKs are the joints in a hierarchical key-management architecture: the Local Master Key (LMK) at the top of an HSM is a KEK that protects every other key stored there; the Zone Master Key (ZMK) is a KEK that protects working keys in transit between organizations; an envelope key wrapping a database column encryption key is a KEK protecting that DEK at rest.

The reason for KEKs is operational: working keys (the ones that actually encrypt PINs, transactions, or sensitive data) need to be frequently created, rotated, transported, and destroyed. KEKs change rarely and live in physically protected places (HSMs, secure enclaves, root key ceremonies). By only ever transmitting working keys wrapped under KEKs, the hard work of protecting cryptographic material is concentrated on the few long-lived KEKs rather than the many short-lived working keys.

KEKs in Payment Cryptography

A typical payment-processing HSM has multiple KEKs in active use simultaneously: one or more LMKs (one per HSM cluster), several ZMKs (one per counterparty), occasional transport KEKs for internal HSM-to-HSM key migration, and possibly TR-31 wrapping keys for key-block-based exchange. Each KEK has a strict policy attached: what kinds of keys it may wrap, what algorithms it may be used with, and whether unwrapped keys may leave the HSM in clear form (usually never).

NIST SP 800-57 mandates that a KEK be at least as strong as the strongest key it protects, and that KEKs must never be used for both encryption and signing. PCI PIN Security and TR-31 add the further requirement that KEKs in payment use must be at least double-length 3DES (112 bits effective) and are migrating to AES-256 by PCI PIN Security v3.1.

Frequently Asked Questions

What is the difference between a KEK and a DEK?
A KEK (Key Encryption Key) encrypts other keys. A DEK (Data Encryption Key) encrypts user data. The DEK does the actual work of protecting payloads; the KEK exists only to wrap the DEK for safe storage and transport. This separation is the basis of envelope encryption.
Why not just use one key for everything?
Operational separation. Working keys need frequent rotation; KEKs do not. Centralizing the "hard" key-protection problem on a small number of KEKs lets you rotate working keys cheaply. It also limits blast radius: if a working key is compromised, only the data it encrypted is at risk, not the whole keystore.
Is an LMK a KEK?
Yes. The Local Master Key is the topmost KEK in an HSM's hierarchy. Every other key stored on that HSM is encrypted under the LMK. The LMK itself is never persisted in clear form anywhere — it is reconstructed at HSM startup from key components held by trusted officers.

Related Terms

ZMKZPKTR-31DUKPT