Changing the Key Encryption Key Properties

If a Key Encryption Key (KEK) was specified when the Cloud VM Set was created, you may be able to change the properties for that KEK based on the options selected when the key was created.

1. Log into the KeyControl webGUI on any node in the cluster using an account with Cloud Admin privileges.

2. In the top menu bar, click Cloud.
3. Select the Cloud VM Set whose KEK properties you want to change.

4. Click the Key Encryption Key tab. The options you can change are displayed as blue links in the webGUI.

   Note:

   If the Key State is Not Imported, then no KEK has been associated with this Cloud VM Set. To add one, see Importing a KEK for an Existing Cloud VM Set.

5. Change any available option by clicking on the current value and then entering a new value in the field. When you are finished with each field, click Save in that field or your changes will be lost. KeyControl applies each change as soon as you click Save. While the change is in process, the Key State changes to ACTIVE_PENDING. When the change has been completed, the Key State returns to ACTIVE.

   Options

   Option	Description
   Key Expiration Period	The length of time for which the KEK and all data encryption keys on the VMs will be valid. To indicate that the KEK should never expire, set this field to 0 (zero). If you change the Key Expiration Period, the new expiration period begins from the day you make the change, not from the day the Cloud VM Set was created. When this time period expires: All disks on all VMs in the Cloud VM Set are automatically detached. What happens to the keys depends on the setting in the Key Expiration Action field. Any attempt to register a new VM with the Cloud VM Set will fail. Any encrypt or decrypt operation on any of the associated VMs will fail. Note: If the Key Expiration Option field is set to Change, you can shorten the expiration period but you cannot lengthen it beyond the original date.
   Key Expiration Action	The options are: No Use — The KEK and all data encryption keys are deactivated but retained. The keys can be reactivated and the expiration date extended if the Key Expiration Option field is set to Extend. Shred — The KEK and all data encryption keys are destroyed and cannot be retrieved. In addition, all VMs in the set are removed from KeyControl and the Cloud VM Set itself is deleted. Only use Shred if you are absolutely certain that you will never need to access the Cloud VM Set or the VMs registered with the Cloud VM Set again.
   Key Expiration Option	The options are: No Change — None of the KEK properties can be changed. The only thing you can do is revoke access to all VMs in the Cloud VM Set by selecting Actions > Revoke Key Encryption Key. Change — You can change the expiration options but you cannot set an expiration date beyond the date originally specified when the Cloud VM Set was created. Extend — You can change any of the expiration options as desired.
   VM Set Retention Period	If Key Expiration Action is set to No Use, this field determines the period of time for which Cloud VM Set objects will be retained after the expiration date is reached. After this period passes, KeyControl permanently deletes all cloud VMs, the Cloud VM Set, and the associated KEK.