Cryptographic Key Establishment and Management
System and Communications Protection Policy for cloud.gov
Authorized federal staff rotate, encrypt, and backup keys monthly. Privileged users access the keys only with two-factor authentication and a decryption passphrase. In the rare case that both the keys and the decryption passphrase for the backup are lost or compromised, new keys can be rotated in by authorized staff, while maintaining availability of information.