Key Management Orchestrator Skill

Purpose

Orchestrate cryptographic key lifecycle management across key management systems, including key generation, distribution, rotation, destruction, and compliance monitoring.

Capabilities

Key Generation

• Generate cryptographic keys with proper entropy
• Create keys with appropriate algorithms and sizes
• Generate keys within HSM boundaries
• Create key pairs for asymmetric operations
• Generate derived keys using approved KDFs
• Document key generation metadata

Key Rotation Management

• Define and enforce rotation policies
• Schedule automatic key rotations
• Execute zero-downtime rotations
• Coordinate multi-system rotations
• Maintain key version history
• Handle rotation rollbacks

Key Usage Tracking

• Monitor key usage patterns
• Track encryption/decryption operations
• Identify unused or orphaned keys
• Detect anomalous usage patterns
• Measure key usage against policies
• Generate usage audit reports

Key Destruction

• Execute secure key destruction
• Verify destruction completeness
• Document destruction certificates
• Handle key material in backups
• Manage crypto-shredding operations
• Maintain destruction audit trails

HSM Integration

• Interface with hardware security modules
• Manage HSM key hierarchies
• Handle HSM backup and recovery
• Monitor HSM health and capacity
• Coordinate multi-HSM deployments
• Validate FIPS compliance

Key Operations Auditing

• Log all key lifecycle events
• Generate compliance audit reports
• Track key custodian changes
• Document key ceremonies
• Monitor policy violations
• Support forensic investigations

Key Types Managed

Key Type	Use Case	Rotation Period
Master Keys	Key encryption keys	Annual
Data Keys	Data encryption	Monthly
Signing Keys	Code/document signing	Annual
TLS Keys	Transport security	Annual
API Keys	Service authentication	90 days
Session Keys	Ephemeral encryption	Per-session

Key Lifecycle Stages

1. Generation: Secure key creation with proper entropy
2. Distribution: Secure key transport to authorized systems
3. Activation: Key enabled for cryptographic operations
4. Use: Active cryptographic operations
5. Rotation: Scheduled key replacement
6. Deactivation: Key disabled but retained
7. Destruction: Secure permanent deletion

Integrations

• HashiCorp Vault: Secrets and key management
• AWS KMS: Cloud key management service
• Azure Key Vault: Microsoft key management
• GCP Cloud KMS: Google key management
• Thales Luna HSM: Hardware security modules
• AWS CloudHSM: Cloud-based HSM

Target Processes

• Cryptography and Key Management Process
• Secrets Management
• Certificate Lifecycle Management
• Data Encryption Key Management

Input Schema

{
  "type": "object",
  "properties": {
    "operation": {
      "type": "string",
      "enum": ["generate", "rotate", "destroy", "audit", "policy-check", "inventory"],
      "description": "Key management operation"
    },
    "keyType": {
      "type": "string",
      "enum": ["master", "data", "signing", "tls", "api", "session"],
      "description": "Type of cryptographic key"
    },
    "algorithm": {
      "type": "string",
      "enum": ["AES-256", "RSA-2048", "RSA-4096", "ECDSA-P256", "ECDSA-P384", "Ed25519"],
      "description": "Cryptographic algorithm"
    },
    "keyManagementSystem": {
      "type": "string",
      "enum": ["vault", "aws-kms", "azure-keyvault", "gcp-kms", "hsm"],
      "description": "Target key management system"
    },
    "keyId": {
      "type": "string",
      "description": "Key identifier for operations on existing keys"
    },
    "rotationPolicy": {
      "type": "object",
      "properties": {
        "maxAge": { "type": "string" },
        "autoRotate": { "type": "boolean" },
        "notifyBefore": { "type": "string" }
      }
    },
    "destructionVerification": {
      "type": "boolean",
      "description": "Require destruction verification"
    },
    "complianceFrameworks": {
      "type": "array",
      "items": {
        "type": "string",
        "enum": ["NIST", "FIPS-140-3", "PCI-DSS", "HIPAA", "SOC2"]
      }
    }
  },
  "required": ["operation"]
}

Output Schema

{
  "type": "object",
  "properties": {
    "operationId": {
      "type": "string"
    },
    "operation": {
      "type": "string"
    },
    "timestamp": {
      "type": "string",
      "format": "date-time"
    },
    "keyInfo": {
      "type": "object",
      "properties": {
        "keyId": { "type": "string" },
        "keyType": { "type": "string" },
        "algorithm": { "type": "string" },
        "keySize": { "type": "integer" },
        "createdAt": { "type": "string" },
        "expiresAt": { "type": "string" },
        "version": { "type": "integer" },
        "status": { "type": "string", "enum": ["active", "inactive", "pending-destruction", "destroyed"] }
      }
    },
    "rotationStatus": {
      "type": "object",
      "properties": {
        "previousVersion": { "type": "integer" },
        "newVersion": { "type": "integer" },
        "rotatedAt": { "type": "string" },
        "affectedSystems": { "type": "array" },
        "rollbackAvailable": { "type": "boolean" }
      }
    },
    "destructionCertificate": {
      "type": "object",
      "properties": {
        "keyId": { "type": "string" },
        "destroyedAt": { "type": "string" },
        "method": { "type": "string" },
        "verificationHash": { "type": "string" },
        "witness": { "type": "string" }
      }
    },
    "auditReport": {
      "type": "object",
      "properties": {
        "period": { "type": "object" },
        "keysInventoried": { "type": "integer" },
        "rotationsCompleted": { "type": "integer" },
        "policyViolations": { "type": "integer" },
        "unusedKeys": { "type": "array" },
        "expiringKeys": { "type": "array" }
      }
    },
    "complianceStatus": {
      "type": "object",
      "properties": {
        "framework": { "type": "string" },
        "compliant": { "type": "boolean" },
        "findings": { "type": "array" }
      }
    },
    "recommendations": {
      "type": "array",
      "items": { "type": "string" }
    }
  }
}

Usage Example

skill: {
  name: 'key-management-orchestrator',
  context: {
    operation: 'rotate',
    keyType: 'data',
    keyManagementSystem: 'vault',
    keyId: 'prod-encryption-key',
    rotationPolicy: {
      maxAge: '90d',
      autoRotate: true,
      notifyBefore: '7d'
    }
  }
}