Home

Keysets

A keyset is a collection of cryptographic keys managed as a unit. It provides a way to store, rotate, and apply multiple keys for cryptographic operations. In many libraries, a keyset is separate from the actual key material and is used to reference keys stored securely.

In typical implementations, a keyset contains multiple keys, each with a unique identifier, a status (enabled,

The keyset supports rotation: a new key can be added to the set and designated as primary,

Keysets are central in cryptographic libraries and cloud services. For example, Google’s Tink library uses a

Security considerations include restricting access, monitoring usage, ensuring proper lifecycle management, protecting key material with hardware

See also Key management, Key rotation, Public-key cryptography, Tink, HSM.

disabled,
destroyed),
a
purpose
(encryption,
decryption,
signing,
verification),
and
a
flag
indicating
which
key
is
primary.
Some
designs
separate
the
key
metadata
from
the
key
material,
with
the
material
stored
in
a
secure
store
and
referenced
by
the
key
entries.
while
older
keys
remain
in
the
set
to
decrypt
or
verify
legacy
data.
The
primary
key
is
used
for
new
operations,
and
keys
can
be
disabled
or
destroyed
when
no
longer
needed.
Backups
and
careful
access
control
are
required
to
preserve
data
integrity.
Keyset
and
a
KeysetHandle
to
manage
keys
for
a
cryptographic
primitive,
while
cloud
KMS
offerings
organize
keys
into
key
rings
or
keysets
for
centralized
management.
They
enable
transparent
key
rotation
without
changing
application
code.
security
modules
or
secure
enclaves,
and
implementing
auditing
and
key
revocation
for
compromised
keys.