ReddRadar
Agent skill
key-management-orchestrator
Cryptographic key lifecycle management orchestration including generation, rotation, and destruction across key management systems
Install this agent skill to your Project
npx add-skill https://github.com/a5c-ai/babysitter/tree/main/library/specializations/security-compliance/skills/key-management-orchestrator
SKILL.md
Key Management Orchestrator Skill
Purpose
Orchestrate cryptographic key lifecycle management across key management systems, including key generation, distribution, rotation, destruction, and compliance monitoring.
Capabilities
Key Generation
- Generate cryptographic keys with proper entropy
- Create keys with appropriate algorithms and sizes
- Generate keys within HSM boundaries
- Create key pairs for asymmetric operations
- Generate derived keys using approved KDFs
- Document key generation metadata
Key Rotation Management
- Define and enforce rotation policies
- Schedule automatic key rotations
- Execute zero-downtime rotations
- Coordinate multi-system rotations
- Maintain key version history
- Handle rotation rollbacks
Key Usage Tracking
- Monitor key usage patterns
- Track encryption/decryption operations
- Identify unused or orphaned keys
- Detect anomalous usage patterns
- Measure key usage against policies
- Generate usage audit reports
Key Destruction
- Execute secure key destruction
- Verify destruction completeness
- Document destruction certificates
- Handle key material in backups
- Manage crypto-shredding operations
- Maintain destruction audit trails
HSM Integration
- Interface with hardware security modules
- Manage HSM key hierarchies
- Handle HSM backup and recovery
- Monitor HSM health and capacity
- Coordinate multi-HSM deployments
- Validate FIPS compliance
Key Operations Auditing
- Log all key lifecycle events
- Generate compliance audit reports
- Track key custodian changes
- Document key ceremonies
- Monitor policy violations
- Support forensic investigations
Key Types Managed
| Key Type | Use Case | Rotation Period |
|---|---|---|
| Master Keys | Key encryption keys | Annual |
| Data Keys | Data encryption | Monthly |
| Signing Keys | Code/document signing | Annual |
| TLS Keys | Transport security | Annual |
| API Keys | Service authentication | 90 days |
| Session Keys | Ephemeral encryption | Per-session |
Key Lifecycle Stages
- Generation: Secure key creation with proper entropy
- Distribution: Secure key transport to authorized systems
- Activation: Key enabled for cryptographic operations
- Use: Active cryptographic operations
- Rotation: Scheduled key replacement
- Deactivation: Key disabled but retained
- Destruction: Secure permanent deletion
Integrations
- HashiCorp Vault: Secrets and key management
- AWS KMS: Cloud key management service
- Azure Key Vault: Microsoft key management
- GCP Cloud KMS: Google key management
- Thales Luna HSM: Hardware security modules
- AWS CloudHSM: Cloud-based HSM
Target Processes
- Cryptography and Key Management Process
- Secrets Management
- Certificate Lifecycle Management
- Data Encryption Key Management
Input Schema
{
"type": "object",
"properties": {
"operation": {
"type": "string",
"enum": ["generate", "rotate", "destroy", "audit", "policy-check", "inventory"],
"description": "Key management operation"
},
"keyType": {
"type": "string",
"enum": ["master", "data", "signing", "tls", "api", "session"],
"description": "Type of cryptographic key"
},
"algorithm": {
"type": "string",
"enum": ["AES-256", "RSA-2048", "RSA-4096", "ECDSA-P256", "ECDSA-P384", "Ed25519"],
"description": "Cryptographic algorithm"
},
"keyManagementSystem": {
"type": "string",
"enum": ["vault", "aws-kms", "azure-keyvault", "gcp-kms", "hsm"],
"description": "Target key management system"
},
"keyId": {
"type": "string",
"description": "Key identifier for operations on existing keys"
},
"rotationPolicy": {
"type": "object",
"properties": {
"maxAge": { "type": "string" },
"autoRotate": { "type": "boolean" },
"notifyBefore": { "type": "string" }
}
},
"destructionVerification": {
"type": "boolean",
"description": "Require destruction verification"
},
"complianceFrameworks": {
"type": "array",
"items": {
"type": "string",
"enum": ["NIST", "FIPS-140-3", "PCI-DSS", "HIPAA", "SOC2"]
}
}
},
"required": ["operation"]
}
Output Schema
{
"type": "object",
"properties": {
"operationId": {
"type": "string"
},
"operation": {
"type": "string"
},
"timestamp": {
"type": "string",
"format": "date-time"
},
"keyInfo": {
"type": "object",
"properties": {
"keyId": { "type": "string" },
"keyType": { "type": "string" },
"algorithm": { "type": "string" },
"keySize": { "type": "integer" },
"createdAt": { "type": "string" },
"expiresAt": { "type": "string" },
"version": { "type": "integer" },
"status": { "type": "string", "enum": ["active", "inactive", "pending-destruction", "destroyed"] }
}
},
"rotationStatus": {
"type": "object",
"properties": {
"previousVersion": { "type": "integer" },
"newVersion": { "type": "integer" },
"rotatedAt": { "type": "string" },
"affectedSystems": { "type": "array" },
"rollbackAvailable": { "type": "boolean" }
}
},
"destructionCertificate": {
"type": "object",
"properties": {
"keyId": { "type": "string" },
"destroyedAt": { "type": "string" },
"method": { "type": "string" },
"verificationHash": { "type": "string" },
"witness": { "type": "string" }
}
},
"auditReport": {
"type": "object",
"properties": {
"period": { "type": "object" },
"keysInventoried": { "type": "integer" },
"rotationsCompleted": { "type": "integer" },
"policyViolations": { "type": "integer" },
"unusedKeys": { "type": "array" },
"expiringKeys": { "type": "array" }
}
},
"complianceStatus": {
"type": "object",
"properties": {
"framework": { "type": "string" },
"compliant": { "type": "boolean" },
"findings": { "type": "array" }
}
},
"recommendations": {
"type": "array",
"items": { "type": "string" }
}
}
}
Usage Example
skill: {
name: 'key-management-orchestrator',
context: {
operation: 'rotate',
keyType: 'data',
keyManagementSystem: 'vault',
keyId: 'prod-encryption-key',
rotationPolicy: {
maxAge: '90d',
autoRotate: true,
notifyBefore: '7d'
}
}
}
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
a5c-ai/babysitter
gsd-tools
Central utility skill for GSD operations. Provides config parsing, slug generation, timestamps, path operations, and orchestrates calls to other specialized skills. Acts as the unified entry point that the original gsd-tools.cjs provided via its lib/ modules (commands, config, core, init).
a5c-ai/babysitter
model-profile-resolution
Resolve model profile (quality/balanced/budget) at orchestration start and map agents to specific models. Enables cost/quality tradeoffs by selecting appropriate AI models for each agent role.
a5c-ai/babysitter
verification-suite
Plan structure validation, phase completeness checks, reference integrity verification, and artifact existence confirmation. Provides the structured verification layer ensuring GSD artifacts are well-formed and complete.
a5c-ai/babysitter
state-management
STATE.md reading, writing, and field-level updates. Provides cross-session state persistence via .planning/STATE.md with structured fields for current task, completed phases, blockers, decisions, and quick tasks.
a5c-ai/babysitter
git-integration
Git commit patterns, formats, and conventions for GSD methodology. Provides atomic commits per task, structured commit messages, planning file commits, branch management, and milestone tag operations.
a5c-ai/babysitter
frontmatter-parsing
YAML frontmatter parsing and manipulation for .planning/ documents. Provides read, write, update, query, and validation operations on frontmatter blocks in GSD markdown artifacts.
Didn't find tool you were looking for?