User's Guide: Key Undo Policy

1.0 Introduction

To stop accidental sensitive operations on keys, Fortanix Data Security Manager (DSM) allows a user to add a “Key undo policy”. When the policy is added, the keys will go through a 2-step process in which the sensitive operations can be undone until a waiting period set by the user before the changes become permanent. The maximum period until which the changes can be undone is 180 days. As a best practice, a minimum period of 7 days is recommended.  The following sensitive operations can be undone:

• Change group

• Delete and destroy key

• Deactivate and activate a key

• Mark a key as compromised

• Remove private key

• Remove sensitive key operations such as encrypt, decrypt, sign, verify, and so on.

To add the "Key undo policy":

1. Go to the detailed view of a group and in the INFO tab, click ADD POLICY in the "Key undo policy" section.

2. Set the waiting period until which the sensitive operations are reversible under the Reversible Period Configuration section.

   NOTE

   By default, the Key reversible period is set to 7 days for all the sensitive operations listed above. The minimum waiting period during which a sensitive key operation is reversible is 7 days and the maximum period is 180 days. For Key Destroy operation once the key is destroyed the key metadata can be configured to be automatically or manually deleted.

   

3. The policy is saved successfully. 

   NOTE

   If the reversible period in the policy is updated with a new value, then this will not update the reversible period of the sensitive operations that are already performed with a previous reversible value.

2.0 Key Undo Policy State For Destroy and Delete Key

• Destroyed state: The key is considered as destroyed in this state. The user has the option to cancel the destroy operation. This will be allowed until the time period specified in the "Key undo policy" after which the key will be permanently destroyed. When a key is in a destroyed state, the key material will be deleted, and it will retain only the key metadata. The key metadata has the following details:

  • Key name

  • Key type

  • Key description

  • The group that it belongs to

  • The enabled key operations

  • Created by user

  • Expiration date if available

  • All its activity logs

  If the "key destroy" operation is canceled, then the key material will be retained.

• Deleted state: In the “Deleted” state the key which was in the “Destroyed” state will be permanently deleted manually or automatically along with the key metadata. At this time, there will not be any trace left of that key in Fortanix DSM, however, all such actions will be audited as part of audit logs. A key can also be directly deleted without entering the destroyed state. 

3.0 Destroy Security Objects with Reversible Period Configuration

To destroy a Fortanix DSM key with reversible period configuration:

1. Go to the detailed view of the security object and click the DESTROY KEY button.  

   

2. In the DESTROY KEY confirmation window, click the check box(es) which is a warning that a user should read and select before destroying the security object. Once this check box(es) are selected, it will enable the DESTROY button. You can see the time period until which the key destroy operation will be reversible.

   NOTE

   If the security object’s group had a Quorum approval policy set, then an approval request will be initiated once you click the DESTROY button in the window below.

   

3. Click DESTROY to enter the “destroyed” state. The user also has an option to “Cancel” the Key Destroy operation using the CANCEL button.

4. You could also start the key destroy process for a key from the SO table view. Select the security object and click the DESTROY SELECTED button.  

   

   

   Hover on the key to see that the key is in the “Destroyed” state. Notice that the color of the destroyed key icon is black   to indicate that the key is destroyed but the action is reversible until a certain period.

5. You will now see an indicator on top of the Security Object detailed view page which shows that the key is destroyed and the time period until which the “Key Destroy” operation can be reversed. You can cancel the “Key Destroy” operation using the CANCEL CHANGE

   NOTE

   If the group that the security object belongs to has a Quorum approval policy set, then the “Cancel Change” action will initiate a quorum approval request to confirm the “Key destroy cancel” operation.

   

6. Once the time period to reverse the “Destroyed” state of the key completes, the action cannot be undone.

   NOTE

   When a security object is in a “destroyed” state with reversible period configuration, the user can still choose to delete it using the DELETE KEY button (Figure 8). The delete operation will now enter a reversible period until which the delete operation can be canceled.

   

7. To delete the key metadata permanently, click the DELETE KEY Since the "Key undo policy" is active, the key delete operation is reversible until the specified time period.

   NOTE

   If the group that the security object belongs to has a Quorum approval policy set, then the “Cancel Change” action will initiate a quorum approval request to confirm the “Key delete cancel” operation.

   

8. In the DELETE SECURITY OBJECT window, select the check boxes to confirm that you do not need the key metadata anymore and want to delete the key permanently. Once the check boxes are selected it will enable the PROCEED

9. Click the PROCEED You will now see an indicator on top of the security object detailed view page that shows that the key is deleted and the time period until which the “Key Delete” operation can be reversed. You can cancel the “Key Delete” operation using the CANCEL CHANGE button.  

   

10. The key deletion now enters the “pending deletion” state.  

    

    Now, the key will be automatically deleted once the time period to reverse the “Deleted” state of the key elapses.

4.0 Remove Private Key with Key Undo Policy

If the "Key undo policy" is set at the group level, when you click the REMOVE PRIVATE KEY button from the detailed view of a key, the Private Key is removed, and the removal operation becomes reversible until the time period set in the policy.

1. Click YES, REMOVE to confirm the private key removal operation.  

   

2. A key whose private key is removed is represented as  . Notice on the top of the screen that you have an option to reverse the private key removal operation using the CANCEL CHANGE button.  

   

3. Once the time elapses to revert the Private Key removal operation, the Private Key will be permanently removed.

5.0 Deactivate and Compromise Key with Key Undo Policy

If the "Key undo policy" is set at the group level, when you click the DEACTIVATE NOW button from the detailed view of a key, the deactivate key or compromise operation becomes reversible until the time period set in the policy.

If the key is compromised, then select the check box The key has been compromised.

1. Click DEACTIVATE button to confirm the key deactivation/compromise.  

   

   

2. A deactivated key is represented in grey colour   and a compromised key is represented in red colour  .
   Notice on the top of the screen that you have an option to reverse the key deactivation/compromise operation using the CANCEL CHANGE button.  

   

3. Once the time elapses to revert the Key deactivation or compromise operation, the key will be permanently deactivated or compromised and cannot be used for applying cryptographic protection such as encrypt, signing, wrapping, MACing, and deriving. It can only be used to process cryptographically-protected information such as decrypt, signature verify, unwrap, and MAC verify. The key will also be permanently compromised if the “This key has been compromised” option was selected.

6.0 Remove Key Operations with Key Undo Policy

In the "Key undo policy" set at the group level, when you click the EDIT PERMISSIONS button from the detailed view of a key and remove some of the key operations, then the key operations removal becomes reversible until the time period set in the policy.

1. Remove the required permissions and click the SAVE button to confirm the key operations removal.  

   

   

2. Notice on the top of the screen that you have an option to reverse the key operations removal using the CANCEL CHANGE button.  

   

3. When the time elapses to revert the Key operation removal, the Key Operations will be permanently removed and cannot be reverted.

7.0 Multiple Key Reversible Changes with Key Undo Policy

If there are multiple reversible changes made on a key that has a “Key undo policy” configured, then the following rule applies when you click CANCEL CHANGES to cancel the reversible changes for a key:

• All reversible change requests performed on and after the time period of the current “Cancel Change” selection will be canceled.  

  

  In the example above: All reversible change requests on and after “April 28th 2021, 12:26 pm” will be cancelled.