Changing the SEK Key Expiration Options

You can change the expiry date and expiration option for the version of the SEK key associated with any disk in the Cloud VM Set. When you do so, KeyControl applies the changes to all disks on all VMs in the Cloud VM Set using the same version of the SEK key as the selected disk.

  1. Log into the KeyControl webGUI on any node in the cluster using an account with Cloud Admin privileges for the Cloud VM Set you want to modify.
  2. In the top menu bar, click Cloud.
  3. Click the VMs tab and select the VM you want to work with from the list.
  4. Click the Expand button (>) at the end of the row to access the details for the specific VM.
  5. Click the Encrypted Disks tab and select the disk whose expiration date you want to set. KeyControl displays the Expiry Date and On Expiration properties for the selected disk below the table.

  6. If the Expiry Date field displays:

    • Never, click Never and enter a date in the format mm/dd/yyyy or click the calendar icon and select the day from the pop up calendar.
    • A date, change the date using the field or the calendar icon. To set the key expiration back to Never, click Clear.

    If the date is valid, KeyControl displays a confirmation dialog letting you know that these changes will affect all disks on all VMs in the Cloud VM Set that use the same version of the SEK key as the selected disk. Confirm your changes at the prompt.

    KeyControl changes the date and updates the information for the affected disks in the Disk table. If there is a problem, check whether the Cloud VM Set to which this VM belongs has an associated KEK. If it does, you cannot change the key expiration date for the disk beyond the date specified for the KEK.

  7. If desired, change what happens when the expiration date arrives for all disks on all VMs in the Cloud VM Set that use the same version of the SEK key as the selected disk. You can select:

    • No Use — The key is deactivated but retained. It can be reactivated by setting a future expiration date, or by setting the expiration date to "Never". At that point, all access to the encrypted data will be restored. This is the default.
    • Shred — The key is destroyed and cannot be retrieved. You should only use this option if you are absolutely certain that you will never again need to access the data encrypted by this key. If a key is shredded, any data encrypted by this key cannot be decrypted.

    When you are finished, click Save. At the prompt, confirm that you want to set the expiration option for all disks in the Cloud VM Set using the same version of the SEK key as the selected disk.