InterviewStack.io LogoInterviewStack.io

Cryptographic Key Management and Infrastructure Questions

Designing, implementing, and operating systems that manage cryptographic keys and associated cryptographic infrastructure across the full lifecycle of keys and certificates. This includes secure key generation using validated entropy sources and randomness validation, key hierarchies and key derivation strategies, master key protection, algorithm selection and algorithm agility planning, and key migration strategies. It covers secure storage options and protections such as hardware security modules, cloud key management services and key vaults, encrypted and sealed storage patterns, and practical deployment considerations for both on premise and cloud environments. Access control and authorization patterns such as role based access control, separation of duties, and least privilege enforcement are essential, along with automated provisioning, rotation, retirement, and deprovisioning workflows. Operational topics include secure key distribution to services and devices, secure archival and destruction procedures, key escrow and recovery mechanisms, backup and disaster recovery for key material, incident response and handling of compromised keys, and audit logging and monitoring of key operations. Public key infrastructure and certificate lifecycle management are included, covering trust models, certificate issuance and renewal, revocation mechanisms and online status checking, and integration with identity and access management systems. Candidates should also address testing and validation approaches, cryptographic module attestation and tamper resistance, threat modeling and key compromise drills, standards and compliance considerations including guidance from the National Institute of Standards and Technology and other frameworks, scaling and performance trade offs for enterprise and internet scale deployments, and the balance between operational convenience, availability, and cryptographic assurance.

EasyTechnical
40 practiced
Design role-based access control and separation-of-duties for a corporate key management system. Define at least four roles (e.g., key-admin, operator, auditor, developer), the minimum permissions each needs for key creation, use, rotation, archival, and destruction, and describe technical controls to enforce least privilege and approval workflows.
MediumTechnical
35 practiced
Define a secure backup and disaster-recovery plan for master keys that protect data encryption keys. Specify RPO/RTO targets, storage protections (encryption of backups and key-wrapping), geographic distribution, access controls for retrieval, and test procedures to validate recovery in a safe way.
MediumSystem Design
33 practiced
Design an internal PKI to issue and manage TLS certificates for 100k microservices across multiple clusters and cloud providers. Address CA hierarchy, certificate templates, automated enrollment/renewal (ACME or internal protocols), revocation at scale, trust distribution, and monitoring of certificate health.
MediumTechnical
34 practiced
Write a Terraform configuration snippet that provisions an AWS KMS symmetric key with key rotation enabled, a dedicated admin role with restricted permissions, and a grant allowing a Lambda function to encrypt/decrypt without exposing key material. Include the relevant IAM policy and explain how this enforces separation of duties.
MediumTechnical
66 practiced
Write a Python script (boto3) that rotates an AES-256 data encryption key wrapped by an AWS KMS CMK. The script should: 1) generate a new data key, 2) re-encrypt (re-wrap) existing envelope keys in batches, 3) atomically switch pointers (e.g., database metadata) to the new key version, and 4) log actions for auditing. Provide pseudocode or runnable code and discuss rollback and idempotency.

Unlock Full Question Bank

Get access to hundreds of Cryptographic Key Management and Infrastructure interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.