Setting the Key Expiration Date for a Disk

By default, the key assigned to a disk never expires. If you want the disk to only be available for a specified amount of time, you can set a key expiration date. What happens when the key expires depends on how you have configured the system.

Before you change the date, keep in mind that:

  • If the VM belongs to a Cloud VM Set that has an associated KEK (Key Encryption Key), you cannot set the disk key expiration date beyond the expiration date set for the KEK. For details about viewing the KEK properties, see Changing KEK Properties.
  • If the VM belongs to a Cloud VM Set that uses the SEK (Single Encryption Key) option, changing the key expiry date or expiration option for the disk changes the expiry date or expiration option for all disks in the Cloud VM Set that use the same version of the SEK key as the selected disk. For more information about the SEK option, see Data Deduplication with Cloud VM Sets.

Procedure 

  1. Log into the KeyControl webGUI using an account with Cloud Admin privileges.
  2. In the top menu bar, click Cloud.
  3. Click the VMs tab and select the VM you want to work with from the list.
  4. Click the Expand button (>) at the end of the row to access the details for the specific VM.
  5. Click the Encrypted Disks tab and select the disk whose expiration date you want to set. KeyControl displays the Expiry Date and On Expiration properties for the selected disk below the table.

  6. If the Expiry Date field displays:

    • Never, click Never and enter a date in the format mm/dd/yyyy or click the calendar icon and select the day from the pop up calendar.
    • A date, change the date using the field or the calendar icon. To set the key expiration back to Never, click Clear.

    If the date is valid and the Cloud VM Set to which this VM belongs uses a SEK key, confirm that you want to make the same expiry date change to all disks on all VMs in the Cloud VM Set that use the same version of the SEK key as the selelcted disk.

    KeyControl displays a message that the request was successful and updates the information for the disk in the Disk table. If there is a problem, check whether the Cloud VM Set to which this VM belongs has an associated KEK. If it does, you cannot change the key expiration date for the disk beyond the date specified for the KEK.

  7. If desired, change what happens when the expiration date arrives. You can select:

    • No Use — The key is deactivated but retained. It can be reactivated by setting a future expiration date, or by setting the expiration date to "Never". At that point, all access to the encrypted data will be restored. This is the default.
    • Shred — The key is destroyed and cannot be retrieved. You should only use this option if you are absolutely certain that you will never again need to access the data encrypted by this key. If a key is shredded, any data encrypted by this key cannot be decrypted.

    When you are finished, click Save. If the Cloud VM Set to which this VM belongs uses a SEK key, confirm that you want to make the same expriration option change to all disks on all VMs in the Cloud VM Set that use the same version of the SEK key as the selelcted disk.