Changing SEK Properties

After you create the Cloud VM Set, you can enable or disable the use of SEK for the set as long as there are no VMs registered with the set. If one or more VMs are registered with the Cloud VM Set, you can no longer change these properties.

Tip: If you want to change the cipher KeyControl uses for the SEK keys, disable SEK for the Cloud VM Set then re-enable it. You can only set the cipher when you first enable SEK.

If you want to change the expiration date or expiration option for a SEK key, see Changing the SEK Key Expiration Options.

Enabling SEK for the Cloud VM Set

Log into the KeyControl webGUI on any node in the cluster using an account with Cloud Admin privileges for the Cloud VM Set you want to modify.
In the top menu bar, click Cloud.
On the VM Sets tab, select the Cloud VM Set for which you want to enable SEK.
On the Details tab, click Enable in the Single Encryption Key field.

In the Enable Single Encryption Key dialog box, specify the options you want to use.

Option	Description
Single Key Encryption Expiration	The date on which the SEK key will expire or "Never" if the SEK never expires. If you specify a date and the SEK key expires, access to every encrypted disk on every VM in the Cloud VM Set will be denied. What happens to the SEK key depends on the setting in the Expiration Action field.
Single Key Encryption Expiration Action	No Use — The key is deactivated but retained. It can be reactivated by setting a future expiration date, or by setting the expiration date to "Never". At that point, all access to the encrypted data will be restored. This is the default. Shred — The key is destroyed and cannot be retrieved. You should only use this option if you are absolutely certain that you will never again need to access the data encrypted by this key. If a key is shredded, any data encrypted by this key cannot be decrypted.

Option

Description

Single Key Encryption Expiration

The date on which the SEK key will expire or "Never" if the SEK never expires. If you specify a date and the SEK key expires, access to every encrypted disk on every VM in the Cloud VM Set will be denied. What happens to the SEK key depends on the setting in the Expiration Action field.

Single Key Encryption Expiration Action

No Use — The key is deactivated but retained. It can be reactivated by setting a future expiration date, or by setting the expiration date to "Never". At that point, all access to the encrypted data will be restored. This is the default.
Shred — The key is destroyed and cannot be retrieved. You should only use this option if you are absolutely certain that you will never again need to access the data encrypted by this key. If a key is shredded, any data encrypted by this key cannot be decrypted.

When you are done, click Enable. KeyControl creates a SEK key that it will use to encrypt all disks in all VMs registered with this Cloud VM Set until you generate a new SEK key. For details, see Generating a New SEK Key.