Key Usage: How Cryptographic Keys Secure e-Signatures
Understanding Key Usage in Digital Signatures and Document Security
Cryptographic key usage is the technical foundation that makes electronic signatures trustworthy. While most people never interact directly with cryptographic keys, understanding what they do — and why they matter — helps explain the difference between a simple electronic signature and a digitally secured one.
What is Key Usage?
Key usage refers to the specific operations a cryptographic key is permitted to perform. In the context of digital signatures and document security, cryptographic keys are used to:
- Sign — create a digital signature that proves the document came from a specific source
- Verify — confirm that a signature is authentic and the document has not been altered
- Encrypt — protect document contents so only authorised parties can read them
- Authenticate — prove the identity of a user or system
Each key is assigned specific usage permissions — a key designated for signing cannot be used for encryption, and vice versa. This separation of duties is a fundamental security principle called "key usage restriction."
Public Key vs Private Key
Cryptographic key systems typically use a pair of keys:
Private key — kept secret by the owner. Used to create digital signatures and decrypt data meant for the owner. If a private key is compromised, all signatures created with it become suspect.
Public key — shared openly. Used by others to verify signatures created with the corresponding private key, and to encrypt data that only the private key holder can decrypt.
This asymmetric relationship is what makes digital signatures possible: the signer uses their private key to create a signature, and anyone with the corresponding public key can verify it is genuine — without ever having access to the private key.
Key Usage Types in Digital Certificates
When a key is issued as part of a digital certificate (common in advanced and qualified electronic signatures), its usage is explicitly defined:
| Key Usage | Purpose |
|---|---|
| Digital Signature | Creating and verifying signatures on documents and data |
| Non-Repudiation | Creating signatures the signer cannot later deny making |
| Key Encipherment | Encrypting other keys for secure transport |
| Data Encipherment | Encrypting data directly |
| Key Agreement | Establishing shared secret keys between parties |
| Certificate Signing | Signing other certificates (used by certificate authorities) |
For e-signing, the two most relevant usages are digital signature (proving a document was signed by a specific key holder) and non-repudiation (preventing the signer from denying they signed).
Key Usage in Practice: Three Levels of e-Signatures
How key usage applies depends on the type of electronic signature:
Simple Electronic Signatures (SES) No cryptographic keys are involved at the signer level. The signature might be a drawn image, a typed name, or a click-to-sign action. Security comes from the platform's audit trail — email verification, IP logging, timestamps — rather than from cryptographic key pairs.
Most business documents use simple electronic signatures, and they are legally valid under the ESIGN Act (US), eIDAS (EU), and equivalent laws worldwide. The key usage happens at the platform level (securing the connection, protecting the stored document) rather than at the individual signer level.
Advanced Electronic Signatures (AES) The signature is cryptographically linked to the signer and can detect any modification to the document after signing. This requires the signer to have a key pair — typically managed by the e-signing platform or a trusted service provider. Key usage restrictions ensure the signing key can only be used for signatures, not for other purposes.
Qualified Electronic Signatures (QES) The highest level under EU eIDAS regulation. The signing key is stored on a qualified signature creation device (like a smart card or secure USB token), and the key's certificate is issued by a qualified trust service provider. Key usage is strictly controlled — the key can only be used for non-repudiation signatures, ensuring the signer cannot deny their actions.
Why Key Usage Restrictions Matter
Without key usage restrictions, a single compromised key could be used for anything — signing documents, encrypting communications, impersonating certificate authorities. Restricting what each key can do limits the damage if a key is compromised and ensures the cryptographic system works as intended.
For example:
- A key designated for digital signature only cannot be used to decrypt data — even if someone gains access to it
- A key designated for key encipherment cannot create document signatures — even by the key's legitimate owner
- A certificate authority key can only sign certificates, not documents — preventing the most powerful keys in the system from being misused
How GoodSign Handles Security
GoodSign uses simple electronic signatures backed by a comprehensive security infrastructure. While individual signers do not manage their own cryptographic keys, the platform secures every document and signature using industry-standard cryptography:
Encrypted transmission. All data between your browser and GoodSign's servers is encrypted using TLS (Transport Layer Security). This uses key pairs at the server level to ensure no one can intercept documents or signatures in transit.
Encrypted storage. Signed documents are stored with encryption at rest in ISO 27001 and SOC 2 compliant data centres. The encryption keys are managed by the infrastructure — you get the security without the key management burden.
Document integrity. After signing, documents are flattened — signatures and form data are permanently embedded in the PDF. Any post-signing modification would be detectable, providing integrity protection similar to what a digital signature achieves through cryptographic hashing.
Signer verification. Rather than requiring signers to manage cryptographic keys (which introduces significant complexity), GoodSign verifies signer identity through practical methods: email delivery to a verified address, SMS one-time passwords, or biometric passkeys (Face ID/Touch ID). These methods provide strong identity evidence without requiring signers to understand public key infrastructure.
Audit trail. Every signature includes a complete evidence chain: who signed, when, from what device, with what verification method. This trail provides the non-repudiation evidence that in a certificate-based system comes from the cryptographic key itself.
This approach — platform-managed security with practical signer verification — works for the vast majority of business documents. It provides strong evidence of who signed and document integrity, without requiring signers to obtain digital certificates or manage key pairs.
For documents that legally require advanced or qualified electronic signatures with individual cryptographic keys (specific EU regulatory requirements, certain government submissions), you will need a platform that integrates with qualified trust service providers and certificate authorities. For standard business contracts, agreements, and approvals, GoodSign's approach provides equivalent practical security at $1.50 per envelope.
The Bottom Line on Key Usage
Cryptographic key usage is the invisible security layer that underpins digital trust. For most business users, the important thing is not understanding the cryptography — it is choosing a platform that implements it correctly behind the scenes while keeping the signing experience simple.
The best security is the kind you never have to think about. Your documents should be protected by strong encryption, your signatures should be backed by solid identity verification, and your signed documents should be tamper-evident — all without requiring anyone to manage certificates or key pairs.