User's Guide: Key Undo Policy

NOTE

Key Undo Policy is available from Fortanix DSM 4.0 release onwards.

1.0 Introduction

To stop accidental sensitive operations on keys, Fortanix Data Security Manager (DSM) allows a user to add a “Key undo policy”. When the policy is added, the keys will go through a 2-step process in which the sensitive operations can be undone until a waiting period set by the user before the changes become permanent. The maximum period until which the changes can be undone is 180 days. As a best practice, a minimum period of 7 days is recommended.  The following sensitive operations can be undone:

  • Change group

  • Delete and destroy key

  • Deactivate and activate a key

  • Mark a key as compromised

  • Remove private key

  • Remove sensitive key operations such as encrypt, decrypt, sign, verify, and so on.

NOTE

The “Key undo policy” does not require a group Quorum approval policy to be configured. However, if a group already has a Quorum approval policy enabled, a quorum approval request will be created to establish a “Key undo policy”.

Key_Undo_AppPolicy.png

Figure 1: Key undo policy

To add the "Key undo policy":

  1. Go to the detailed view of a group and in the INFO tab, click ADD POLICY in the "Key undo policy" section.

  2. Set the waiting period until which the sensitive operations are reversible under the Reversible Period Configuration section.

    NOTE

    By default, the Key reversible period is set to 7 days for all the sensitive operations listed above. The minimum waiting period during which a sensitive key operation is reversible is 7 days and the maximum period is 180 days. For Key Destroy operation once the key is destroyed the key metadata can be configured to be automatically or manually deleted.

    Key_Undo_ReversiblePeriod.png

    Figure 2: Configure key undo policy

  3. The policy is saved successfully. 

    NOTE

    If the reversible period in the policy is updated with a new value, then this will not update the reversible period of the sensitive operations that are already performed with a previous reversible value.

2.0 Key Undo Policy State For Destroy and Delete Key

  • Destroyed state: The key is considered as destroyed in this state. The user has the option to cancel the destroy operation. This will be allowed until the time period specified in the "Key undo policy" after which the key will be permanently destroyed. When a key is in a destroyed state, the key material will be deleted, and it will retain only the key metadata. The key metadata has the following details:

    • Key name

    • Key type

    • Key description

    • The group that it belongs to

    • The enabled key operations

    • Created by user

    • Expiration date if available

    • All its activity logs

    If the "key destroy" operation is canceled, then the key material will be retained.

  • Deleted state: In the “Deleted” state the key which was in the “Destroyed” state will be permanently deleted manually or automatically along with the key metadata. At this time, there will not be any trace left of that key in Fortanix DSM, however, all such actions will be audited as part of audit logs. A key can also be directly deleted without entering the destroyed state. 

3.0 Destroy Security Objects with Reversible Period Configuration

To destroy a Fortanix DSM key with reversible period configuration:

  1. Go to the detailed view of the security object and click the DESTROY KEY button.  

    Key_Undo3.png

    Figure 4: Destroy security object

  2. In the DESTROY KEY confirmation window, click the check box(es) which is a warning that a user should read and select before destroying the security object. Once this check box(es) are selected, it will enable the DESTROY button. You can see the time period until which the key destroy operation will be reversible.

    NOTE

    If the security object’s group had a Quorum approval policy set, then an approval request will be initiated once you click the DESTROY button in the window below.

    Key_Undo4.png

    Figure 5: Destroy security object

  3. Click DESTROY to enter the “destroyed” state. The user also has an option to “Cancel” the Key Destroy operation using the CANCEL button.

  4. You could also start the key destroy process for a key from the SO table view. Select the security object and click the DESTROY SELECTED button.  

    Key_Undo5.png

    Figure 6: Destroy security object from table view

    Key_Undo7.png

    Figure 7: Key in a destroyed state in SO table view

    Hover on the key to see that the key is in the “Destroyed” state. Notice that the color of the destroyed key icon is black  Key_Undo25.png to indicate that the key is destroyed but the action is reversible until a certain period.

  5. You will now see an indicator on top of the Security Object detailed view page which shows that the key is destroyed and the time period until which the “Key Destroy” operation can be reversed. You can cancel the “Key Destroy” operation using the CANCEL CHANGE

    NOTE

    If the group that the security object belongs to has a Quorum approval policy set, then the “Cancel Change” action will initiate a quorum approval request to confirm the “Key destroy cancel” operation.

    Key_Undo8.png

    Figure 8: Reversible key destroyed state

  6. Once the time period to reverse the “Destroyed” state of the key completes, the action cannot be undone.

    NOTE

    When a security object is in a “destroyed” state with reversible period configuration, the user can still choose to delete it using the DELETE KEY button (Figure 8). The delete operation will now enter a reversible period until which the delete operation can be canceled.

    Key_Undo26.png

    Figure 9: Entering delete security object state

  7. To delete the key metadata permanently, click the DELETE KEY Since the "Key undo policy" is active, the key delete operation is reversible until the specified time period.

    NOTE

    If the group that the security object belongs to has a Quorum approval policy set, then the “Cancel Change” action will initiate a quorum approval request to confirm the “Key delete cancel” operation.

    Key_Undo9.png

    Figure 10: Purge key metadata confirmation

  8. In the DELETE SECURITY OBJECT window, select the check boxes to confirm that you do not need the key metadata anymore and want to delete the key permanently. Once the check boxes are selected it will enable the PROCEED

  9. Click the PROCEED You will now see an indicator on top of the security object detailed view page that shows that the key is deleted and the time period until which the “Key Delete” operation can be reversed. You can cancel the “Key Delete” operation using the CANCEL CHANGE button.  

    Key_Undo23.png

    Figure 11: Cancel key delete

  10. The key deletion now enters the “pending deletion” state.  

    Key_Undo10.png

    Figure 12: Key deleted

    Now, the key will be automatically deleted once the time period to reverse the “Deleted” state of the key elapses.

4.0 Remove Private Key with Key Undo Policy

If the "Key undo policy" is set at the group level, when you click the REMOVE PRIVATE KEY button from the detailed view of a key, the Private Key is removed, and the removal operation becomes reversible until the time period set in the policy.

Key_Undo11.png

Figure 13: Remove private key

  1. Click YES, REMOVE to confirm the private key removal operation.  

    Key_Undo12.png

    Figure 14: Confirm private key removal

  2. A key whose private key is removed is represented as  Key_Undo27.png. Notice on the top of the screen that you have an option to reverse the private key removal operation using the CANCEL CHANGE button.  

    Key_Undo13.png

    Figure 15: Cancel private key removal

  3. Once the time elapses to revert the Private Key removal operation, the Private Key will be permanently removed.

5.0 Deactivate and Compromise Key with Key Undo Policy

If the "Key undo policy" is set at the group level, when you click the DEACTIVATE NOW button from the detailed view of a key, the deactivate key or compromise operation becomes reversible until the time period set in the policy.

If the key is compromised, then select the check box The key has been compromised.

  1. Click DEACTIVATE button to confirm the key deactivation/compromise.  

    Key_Undo14.png

    Figure 16: Deactivate key

    Key_Undo15.png

    Figure 17: Confirm key deactivation/compromise

  2. A deactivated key is represented in grey colour  Key_Undo16.png and a compromised key is represented in red colour  Key_Undo22.png.
    Notice on the top of the screen that you have an option to reverse the key deactivation/compromise operation using the CANCEL CHANGE button.  

    Key_Undo17.png

    Figure 18: Cancel key deactivation/compromise

  3. Once the time elapses to revert the Key deactivation or compromise operation, the key will be permanently deactivated or compromised and cannot be used for applying cryptographic protection such as encrypt, signing, wrapping, MACing, and deriving. It can only be used to process cryptographically-protected information such as decrypt, signature verify, unwrap, and MAC verify. The key will also be permanently compromised if the “This key has been compromised” option was selected.

6.0 Remove Key Operations with Key Undo Policy

In the "Key undo policy" set at the group level, when you click the EDIT PERMISSIONS button from the detailed view of a key and remove some of the key operations, then the key operations removal becomes reversible until the time period set in the policy.

  1. Remove the required permissions and click the SAVE button to confirm the key operations removal.  

    Key_Undo18.png

    Figure 19: Remove key operations

    Key_Undo19.png

    Figure 20: Confirm key operations removal

  2. Notice on the top of the screen that you have an option to reverse the key operations removal using the CANCEL CHANGE button.  

    Key_Undo20.png

    Figure 21: Cancel key operations removal

  3. When the time elapses to revert the Key operation removal, the Key Operations will be permanently removed and cannot be reverted.

7.0 Multiple Key Reversible Changes with Key Undo Policy

If there are multiple reversible changes made on a key that has a “Key undo policy” configured, then the following rule applies when you click CANCEL CHANGES to cancel the reversible changes for a key:

  • All reversible change requests performed on and after the time period of the current “Cancel Change” selection will be canceled.  

    Key_Undo21.png

    Figure 22: Cancel reversible changes

    In the example above: All reversible change requests on and after “April 28th 2021, 12:26 pm” will be cancelled.