Physical Security and Key Management
Protecting the material COMSEC actually depends on
Lesson Objectives
- Identify what counts as protected COMSEC material
- Apply the core best practices for handling and storing that material
- Explain why physical security is often the weakest link in an otherwise sound COMSEC system
- Describe secure key exchange options in order of preference
Physical security is often the weakest link
A group can have a well-designed cryptographic system, disciplined operators, and a solid authentication protocol — and still lose everything because a radio was left in an unlocked vehicle, or a printed key sheet was left on a table during a break. Physical security of COMSEC material is frequently the softest target in the whole system, because it does not require breaking any code. It only requires access.
Protected material includes
- Radios and radio accessories capable of secure operation
- Encryption keys and any key-loading devices
- Codebooks, one-time pads, and authentication sheets
- Written procedures, cheat sheets, and net rosters
Four rules that cover most of the risk
-
1
Restrict access on a strict need-to-know basis
Not every member of a group needs access to every piece of key material. The fewer hands that touch it, the smaller the compromise surface if something goes wrong. This is the same compartmentalization principle covered in more depth in SEC-02, OPSEC — need-to-know is not a COMSEC-specific idea, it is a general information-security discipline applied here to key material specifically.
-
2
Never leave crypto material unattended
A locked vehicle is not the same as attended material. Unattended means unattended, even for a few minutes.
-
3
Assume lost equals compromised
Do not wait to see if a lost key sheet or radio turns up. The moment you cannot account for it, treat everything it could expose as burned and act accordingly — which usually means rotating to the next key or authentication set immediately.
-
4
Destroy expired or used crypto material immediately
A used one-time pad page or an expired authentication table sitting in a drawer is a liability with no upside. Destroy it as soon as it is no longer needed, not at the next convenient cleaning day.
“Assume lost equals compromised” is the rule most groups skip. It is tempting to wait and see, especially when replacing key material is inconvenient. That hesitation is exactly the gap an adversary needs. Treat the loss as real the moment you notice it.
Getting new key material to people safely
Key material has to move from wherever it is generated to every operator who needs it, and that movement is its own point of risk. In order of preference:
| Method | Notes |
|---|---|
| Hand-carry | The gold standard. A trusted person physically carries the material and hands it to the recipient. No transmission, no interception risk in transit. |
| Trusted encrypted channel with an out-of-band password | Acceptable secondary option. The password or key needed to open the file is communicated through a different channel than the file itself, so intercepting one does not give an adversary the other. |
| Electronic transmission of the key itself | Avoid whenever possible. Transmitting keys electronically — even over what looks like a secure service — multiplies the number of points where interception could occur. |
Commercial encrypted email or file-sharing services may provide solid transport security, but that is not the same as protecting the key material itself. File-level encryption with an independent, separately-delivered password is strongly recommended even when the transport channel is already encrypted — it means a single compromised channel does not expose the key.
Related courses: COM-04 EMCON • COM-06 Authentication & Challenge/Reply • COM-07 One-Time Pads • COM-08 Dead Drop & Courier Protocols • COM-09 Cryptographic Security • SEC-02 OPSEC • INT-02 RTSA • INT-03 SALUTE & SPOT Reporting • PLN-04 PREP-CON • PLN-05 COMCON
| ← Lesson 1 |