NOTE
Key Undo Policy is available from Fortanix DSM 4.0 release onwards.
1.0 Introduction
To stop accidental sensitive operations on keys, Fortanix Data Security Manager (DSM) allows a user to add a “Key undo policy”. When the policy is added, the keys will go through a 2-step process in which the sensitive operations can be undone until a waiting period set by the user before the changes become permanent. The maximum period until which the changes can be undone is 180 days. As a best practice, a minimum period of 7 days is recommended. The following sensitive operations can be undone:
Change group
Delete and destroy key
Deactivate and activate a key
Mark a key as compromised
Remove private key
Remove sensitive key operations such as encrypt, decrypt, sign, verify, and so on.
NOTE
The “Key undo policy” does not require a group Quorum approval policy to be configured. However, if a group already has a Quorum approval policy enabled, a quorum approval request will be created to establish a “Key undo policy”.

Figure 1: Key undo policy
To add the "Key undo policy":
Go to the detailed view of a group and in the INFO tab, click ADD POLICY in the "Key undo policy" section.
Set the waiting period until which the sensitive operations are reversible under the Reversible Period Configuration section.
NOTE
By default, the Key reversible period is set to 7 days for all the sensitive operations listed above. The minimum waiting period during which a sensitive key operation is reversible is 7 days and the maximum period is 180 days. For Key Destroy operation once the key is destroyed the key metadata can be configured to be automatically or manually deleted.
Figure 2: Configure key undo policy
The policy is saved successfully.
NOTE
If the reversible period in the policy is updated with a new value, then this will not update the reversible period of the sensitive operations that are already performed with a previous reversible value.
2.0 Key Undo Policy State For Destroy and Delete Key
Destroyed state: The key is considered as destroyed in this state. The user has the option to cancel the destroy operation. This will be allowed until the time period specified in the "Key undo policy" after which the key will be permanently destroyed. When a key is in a destroyed state, the key material will be deleted, and it will retain only the key metadata. The key metadata has the following details:
Key name
Key type
Key description
The group that it belongs to
The enabled key operations
Created by user
Expiration date if available
All its activity logs
If the "key destroy" operation is canceled, then the key material will be retained.
Deleted state: In the “Deleted” state the key which was in the “Destroyed” state will be permanently deleted manually or automatically along with the key metadata. At this time, there will not be any trace left of that key in Fortanix DSM, however, all such actions will be audited as part of audit logs. A key can also be directly deleted without entering the destroyed state.
3.0 Destroy Security Objects with Reversible Period Configuration
To destroy a Fortanix DSM key with reversible period configuration:
Go to the detailed view of the security object and click the DESTROY KEY button.
Figure 4: Destroy security object
In the DESTROY KEY confirmation window, click the check box(es) which is a warning that a user should read and select before destroying the security object. Once this check box(es) are selected, it will enable the DESTROY button. You can see the time period until which the key destroy operation will be reversible.
NOTE
If the security object’s group had a Quorum approval policy set, then an approval request will be initiated once you click the DESTROY button in the window below.
Figure 5: Destroy security object
Click DESTROY to enter the “destroyed” state. The user also has an option to “Cancel” the Key Destroy operation using the CANCEL button.
You could also start the key destroy process for a key from the SO table view. Select the security object and click the DESTROY SELECTED button.
Figure 6: Destroy security object from table view
Figure 7: Key in a destroyed state in SO table view
Hover on the key to see that the key is in the “Destroyed” state. Notice that the color of the destroyed key icon is black
to indicate that the key is destroyed but the action is reversible until a certain period.
You will now see an indicator on top of the Security Object detailed view page which shows that the key is destroyed and the time period until which the “Key Destroy” operation can be reversed. You can cancel the “Key Destroy” operation using the CANCEL CHANGE
NOTE
If the group that the security object belongs to has a Quorum approval policy set, then the “Cancel Change” action will initiate a quorum approval request to confirm the “Key destroy cancel” operation.
Figure 8: Reversible key destroyed state
Once the time period to reverse the “Destroyed” state of the key completes, the action cannot be undone.
NOTE
When a security object is in a “destroyed” state with reversible period configuration, the user can still choose to delete it using the DELETE KEY button (Figure 8). The delete operation will now enter a reversible period until which the delete operation can be canceled.
Figure 9: Entering delete security object state
To delete the key metadata permanently, click the DELETE KEY Since the "Key undo policy" is active, the key delete operation is reversible until the specified time period.
NOTE
If the group that the security object belongs to has a Quorum approval policy set, then the “Cancel Change” action will initiate a quorum approval request to confirm the “Key delete cancel” operation.
Figure 10: Purge key metadata confirmation
In the DELETE SECURITY OBJECT window, select the check boxes to confirm that you do not need the key metadata anymore and want to delete the key permanently. Once the check boxes are selected it will enable the PROCEED
Click the PROCEED You will now see an indicator on top of the security object detailed view page that shows that the key is deleted and the time period until which the “Key Delete” operation can be reversed. You can cancel the “Key Delete” operation using the CANCEL CHANGE button.
Figure 11: Cancel key delete
The key deletion now enters the “pending deletion” state.
Figure 12: Key deleted
Now, the key will be automatically deleted once the time period to reverse the “Deleted” state of the key elapses.
4.0 Remove Private Key with Key Undo Policy
If the "Key undo policy" is set at the group level, when you click the REMOVE PRIVATE KEY button from the detailed view of a key, the Private Key is removed, and the removal operation becomes reversible until the time period set in the policy.

Figure 13: Remove private key
Click YES, REMOVE to confirm the private key removal operation.
Figure 14: Confirm private key removal
A key whose private key is removed is represented as
. Notice on the top of the screen that you have an option to reverse the private key removal operation using the CANCEL CHANGE button.
Figure 15: Cancel private key removal
Once the time elapses to revert the Private Key removal operation, the Private Key will be permanently removed.
5.0 Deactivate and Compromise Key with Key Undo Policy
If the "Key undo policy" is set at the group level, when you click the DEACTIVATE NOW button from the detailed view of a key, the deactivate key or compromise operation becomes reversible until the time period set in the policy.
If the key is compromised, then select the check box The key has been compromised.
Click DEACTIVATE button to confirm the key deactivation/compromise.
Figure 16: Deactivate key
Figure 17: Confirm key deactivation/compromise
A deactivated key is represented in grey colour
and a compromised key is represented in red colour
.
Notice on the top of the screen that you have an option to reverse the key deactivation/compromise operation using the CANCEL CHANGE button.Figure 18: Cancel key deactivation/compromise
Once the time elapses to revert the Key deactivation or compromise operation, the key will be permanently deactivated or compromised and cannot be used for applying cryptographic protection such as encrypt, signing, wrapping, MACing, and deriving. It can only be used to process cryptographically-protected information such as decrypt, signature verify, unwrap, and MAC verify. The key will also be permanently compromised if the “This key has been compromised” option was selected.
6.0 Remove Key Operations with Key Undo Policy
In the "Key undo policy" set at the group level, when you click the EDIT PERMISSIONS button from the detailed view of a key and remove some of the key operations, then the key operations removal becomes reversible until the time period set in the policy.
Remove the required permissions and click the SAVE button to confirm the key operations removal.
Figure 19: Remove key operations
Figure 20: Confirm key operations removal
Notice on the top of the screen that you have an option to reverse the key operations removal using the CANCEL CHANGE button.
Figure 21: Cancel key operations removal
When the time elapses to revert the Key operation removal, the Key Operations will be permanently removed and cannot be reverted.
7.0 Multiple Key Reversible Changes with Key Undo Policy
If there are multiple reversible changes made on a key that has a “Key undo policy” configured, then the following rule applies when you click CANCEL CHANGES to cancel the reversible changes for a key:
All reversible change requests performed on and after the time period of the current “Cancel Change” selection will be canceled.
Figure 22: Cancel reversible changes
In the example above: All reversible change requests on and after “April 28th 2021, 12:26 pm” will be cancelled.