REQ.145 Protect system cryptographic keys
System private asymmetric or symmetric keys must be protected and must not be exposed.
OWASP-ASVS v3.1-1.12 There is an explicit policy for how cryptographic keys (if any) are managed, and the lifecycle of cryptographic keys is enforced. Ideally, follow a key management standard such as NIST SP 800-57.
OWASP-ASVS v3.1-7.9 Verify that there is an explicit policy for how cryptographic keys are managed (e.g., generated, distributed, revoked, and expired). Verify that this key lifecycle is properly enforced.
OWASP-ASVS v3.1-7.11 Verify that all consumers of cryptographic services do not have direct access to key material. Isolate cryptographic processes, including master secrets and consider the use of a virtualized or physical hardware key vault (HSM).