InterviewStack.io LogoInterviewStack.io

Key Management and Key Derivation Questions

Comprehensive knowledge of key management and key derivation functions, including how to derive cryptographic keys from passwords and from random entropy using algorithms such as PBKDF2, scrypt, bcrypt, and Argon2, and how to choose and tune parameters like salt, work factor, memory cost, and time cost. Understanding of secure key generation practices, entropy sources, and techniques for protecting key material in memory and at rest including use of hardware security modules, key wrapping, and encrypted key stores. Familiarity with key lifecycle management including generation, storage, access control, rotation policies, secure deletion, archival, and disposal, as well as key escrow and key recovery considerations. Experience assessing threats and mitigations such as weak KDF selection, brute force and offline attacks, side channel exposures, accidental leakage, and compromise response procedures. Knowledge of multi party and distributed system concerns including key agreement protocols, threshold cryptography, distributed key management, secure distribution and provisioning, auditing, and operational best practices for integrating key management into applications and infrastructure.

HardTechnical
49 practiced
Design a deterministic derivation scheme to produce per-record encryption keys from a master key such that compromise of some derived keys does not enable recovery of other derived keys or the master key. Specify algorithms or KDFs to use, domain separation, inclusion of record-specific metadata, and analyze forward/selected-key compromise resistance.
EasyTechnical
63 practiced
What is key wrapping and how does it differ from encrypting arbitrary data? Describe common key wrapping algorithms (e.g., AES-KW / RFC 3394, AES-GCM wrapping) and explain why integrity/authentication and atomic unwrap semantics are important in key management systems.
MediumSystem Design
56 practiced
Design a scheme using HKDF to derive multiple independent keys (encryption key, MAC key, IV/nonce seed, and key-encryption-key) from a single per-tenant master secret for a multi-tenant SaaS environment. Specify use of extract and expand, salts, info/context strings, label separation, and how you would handle per-tenant rotation and forward/backward compatibility.
MediumTechnical
48 practiced
Compare Argon2i, Argon2d, and Argon2id. For each variant specify whether it is data-dependent or data-independent in memory access, its suitability vs side-channel attacks, and recommended uses (e.g., password hashing vs key derivation vs keyed use). Why is Argon2id often recommended for general password hashing?
MediumTechnical
58 practiced
Explain common side-channel risks in KDF implementations: timing leaks, cache-based attacks, memory access pattern leakage, and power analysis. For each risk, provide concrete coding and deployment mitigations, including which KDFs are naturally safer and what runtime/hardware mitigations you would deploy in a multi-tenant cloud.

Unlock Full Question Bank

Get access to hundreds of Key Management and Key Derivation interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.