Generating a New SEK Key

When you want to rekey the disks in the Cloud VM Set or you have the Auto Rekey option turned on and you want to have a new SEK key available, you need to manually generate one. When you do, KeyControl:

Generates and stores a new version of the SEK key.
Increments the version number shown in the Single Key Encryption Version field and assigns that version number to the new version of the SEK key.
Uses the new SEK key version when you tell KeyControl to encrypt a disk in the Cloud VM Set for the first time.

KeyControl does not automatically rekey any of the previously-encrypted disks. This means that, if you generate a new key and then you encrypt a disk without rekeying the other disks in the Cloud VM Set, data deduplication will not work with the newly-encrypted disk because the data blocks on the new disk will use a different offset from the data blocks on the disks using the older version of the SEK key.

After you rekey the older disks, however, data deduplication will again work for all of the disks in the Cloud VM Set.

Procedure

Log into the KeyControl webGUI on any node in the cluster using an account with Cloud Admin privileges.
In the top menu bar, click Cloud.
On the VM Sets tab, select the Cloud VM Set for which you want to generate a new key.
In the Single Encryption Key State field, click Add New Key.

In the Generate New Single Encryption Key dialog box, specify the options you want to use.

Option	Description
Single Key Encryption Expiration	The date on which the SEK key will expire or "Never" if the SEK never expires. If you specify a date and the SEK key expires, access to every encrypted disk on every VM in the Cloud VM Set will be denied. What happens to the SEK key depends on the setting in the Expiration Action field.
Single Key Encryption Expiration Action	No Use — The key is deactivated but retained. It can be reactivated by setting a future expiration date, or by setting the expiration date to "Never". At that point, all access to the encrypted data will be restored. This is the default. Shred — The key is destroyed and cannot be retrieved. You should only use this option if you are absolutely certain that you will never again need to access the data encrypted by this key. If a key is shredded, any data encrypted by this key cannot be decrypted.

Option

Description

Single Key Encryption Expiration

The date on which the SEK key will expire or "Never" if the SEK never expires. If you specify a date and the SEK key expires, access to every encrypted disk on every VM in the Cloud VM Set will be denied. What happens to the SEK key depends on the setting in the Expiration Action field.

Single Key Encryption Expiration Action

No Use — The key is deactivated but retained. It can be reactivated by setting a future expiration date, or by setting the expiration date to "Never". At that point, all access to the encrypted data will be restored. This is the default.
Shred — The key is destroyed and cannot be retrieved. You should only use this option if you are absolutely certain that you will never again need to access the data encrypted by this key. If a key is shredded, any data encrypted by this key cannot be decrypted.

When you are finished, click Generate.

What to Do Next

Rekey the disks in the Cloud VM Set or make sure that Auto Rekey is enabled for the Cloud VM Set. For details, see Rekeying a Disk Using the webGUI, Rekeying a Disk using the CLI, and Configuring Auto Rekey for a Cloud VM Set.

HyTrust DataControl v 4.2.1