Changing KEK Properties

If a Key Encryption Key (KEK) was specified when the Cloud VM Set was created, you may be able to change the properties for that KEK based on the options selected when the key was created.

  1. Log into the KeyControl webGUI using an account with Cloud Admin privileges.

  2. In the top menu bar, click Cloud.
  3. Select the Cloud VM Set whose KEK properties you want to change.

  4. Click the Key Encryption Key tab. The options you can change are displayed as blue links in the webGUI.

  5. Change any available option by clicking on the current value and then entering a new value in the field. When you are finished with each field, click Save in that field or your changes will be lost. KeyControl applies each change as soon as you click Save. While the change is in process, the Key State changes to ACTIVE_PENDING. When the change has been completed, the Key State returns to ACTIVE.

    Option

    Description

    Key Expiration Period

    The length of time for which the KEK and all data encryption keys on the VMs will be valid. To indicate that the KEK should never expire, set this field to 0 (zero).

    If you change the Key Expiration Period, the new expiration period begins from the day you make the change, not from the day the Cloud VM Set was created.

    When this time period expires:

    • All disks on all VMs in the Cloud VM Set are automatically detached. What happens to the keys depends on the setting in the Key Expiration Action field.
    • Any attempt to register a new VM with the Cloud VM Set will fail.
    • Any encrypt or decrypt operation on any of the associated VMs will fail.

    Note: If the Key Expiration Option field is set to Change, you can shorten the expiration period but you cannot lengthen it beyond the original date.

    Key Expiration Action

    The options are:

    • No Use — The KEK and all data encryption keys are deactivated but retained. The keys can be reactivated and the expiration date extended if the Key Expiration Option field is set to Extend. This is the default.

    • Shred — The KEK and all data encryption keys are destroyed and cannot be retrieved. In addition, all VMs in the set are removed from KeyControl and the Cloud VM Set itself is deleted.

      Shred is a destructive action that cannot be undone. Make sure you have set the correct Key Expiration Period when using this option.
    Key Expiration Option

    The options are:

    • No Change — None of the KEK properties can be changed. The only thing you can do is revoke access to all VMs in the Cloud VM Set by selecting Actions > Revoke Key Encryption Key.
    • Change — You can change the expiration options but you cannot set an expiration date beyond the date originally specified when the Cloud VM Set was created. This is the default.
    • Extend — You can change any of the expiration options as desired.
    VM Set Retention Period

    If Key Expiration Action is set to No Use, this field determines the period of time for which Cloud VM Set objects will be retained after the expiration date is reached.

    After this period passes, KeyControl permanently deletes all cloud VMs, the Cloud VM Set, and the associated KEK.