Which statement about encryption keys and key-encrypting keys is correct?

• A. Key-encrypting keys must be at least as strong as data-encryption keys.
• B. Data-encryption keys must be stronger than key-encrypting keys.
• C. They must be the same key.
• D. Key management is not required if data is masked.

Answer: (A)

In encryption key management, the key-encrypting key protects the data-encryption key, which in turn protects the actual data. Because the KEK is the protection layer for the DEK, it should be at least as strong as the DEK to prevent a weaker KEK from exposing the DEK and the data. In practice, KEKs are stored and managed securely (often in an HSM) with strong algorithms and strict access controls, and they are rotated independently from DEKs. The other statements don’t fit: making the DEK stronger than the KEK would undermine protection; requiring the same key for both removes defense in depth; and assuming key management isn’t needed if data is masked is inaccurate since masking isn’t a substitute for proper encryption key management.