Master Key
What is Master Key?
Master KeyA high-value long-term key from which other cryptographic keys are derived or which directly encrypts other keys.
A master key is a long-lived cryptographic key whose primary role is to generate, protect, or wrap other keys rather than to encrypt user data directly. Common patterns include using a master key as a Key Encryption Key (KEK) that wraps short-lived Data Encryption Keys (DEKs) in envelope encryption schemes (AWS KMS, GCP KMS, Azure Key Vault), as the seed for a hierarchical KDF (HKDF "master secret", BIP32 wallet master keys), or as the database master key in TDE-style systems. Because compromising the master key compromises everything it protects, master keys are stored in HSMs, TPMs, or secure enclaves, used only for short cryptographic operations, rotated according to documented cryptoperiods, and access is restricted by strict authentication and audit policies.
● Examples
- 01
An AWS KMS customer master key (CMK) wraps data keys used by S3 server-side encryption.
- 02
A BIP32 hierarchical-deterministic wallet derives all account keys from a single master seed.
● Frequently asked questions
What is Master Key?
A high-value long-term key from which other cryptographic keys are derived or which directly encrypts other keys. It belongs to the Cryptography category of cybersecurity.
What does Master Key mean?
A high-value long-term key from which other cryptographic keys are derived or which directly encrypts other keys.
How do you defend against Master Key?
Defences for Master Key typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Master Key?
Common alternative names include: Root key, Master encryption key (MEK).