Australia: Australian Signals Directorate and Department of Industry Science and Resources guidelines on managing cryptographic keys and secrets

On 22 August 2025, the Australian Signals Directorate and the Department of Industry, Science and Resources released guidelines on managing cryptographic keys and secrets. The guidelines are addressed to organisational security personnel, including architects and IT security managers, within cloud, on-premises, or hybrid environments. The guidelines consider threats to asymmetric keys, symmetric keys, digital certificates, and secrets. The guidelines recommend organisations adopt a Key Management Plan (KMP) to govern the entire life cycle of cryptographic material, including governance, generation, registration, storage, access, distribution, rollover, and destruction of cryptographic material. It also recommends generating keys and secrets using cryptographically secure methods with sufficient entropy, and storing them securely, with a preference for Hardware Security Modules (HSMs). Secure distribution methods and verifiable exchange mechanisms are advised to prevent interception, as is limiting access. It also details the concept of chains of trust for digital certificates, explaining the roles of root and intermediate Certificate Authorities and the need for validation, expiration checks, and revocation monitoring. Positions of trust with access to sensitive material require additional security measures, including the principle of least privilege and separation of duties. Finally, the guidance stipulates that oversight through auditing and monitoring is essential to detect and respond to unauthorised access or misuse, without logging sensitive key material itself.