User's Guide: Key Undo Policy

NOTE
Key Undo Policy is available from Fortanix DSM 4.0 release onwards.

Introduction

To stop accidental sensitive operations on keys, Fortanix Data Security Manager (DSM) allows a user to add a “Key undo policy”. When the policy is added, the keys will go through a 2-step process in which the sensitive operations can be undone until a waiting period set by the user before the changes become permanent. The maximum period until which the changes can be undone is 180 days. As a best practice, a minimum period of 7 days is recommended.  The following sensitive operations can be undone:

  • Delete and destroy key
  • Deactivate and activate a key
  • Mark a key as compromised
  • Remove private key
  • Remove sensitive key operations encrypt, decrypt, sign, verify, and so on.
NOTE
Quorum approval is not required to create a “Key undo policy”.

Key_Undo1.png Figure 1: Key undo policy

To add the "Key undo policy":

  1. Go to the detailed view of a group and in the INFO tab, click ADD POLICY in the "Key undo policy" section.
  2. Set the waiting period until which the sensitive operations are reversible under the Reversible Period Configuration section.
    NOTE
    By default, the Key reversible period is set to 7 days for all the sensitive operations listed above. The minimum waiting period during which a sensitive key operation is reversible is 7 days and the maximum period is 180 days. For Key Destroy operation once the key is destroyed the key metadata can be configured to be automatically or manually deleted.
    Key_Undo2.png Figure 2: Configure key undo policy
  3. The policy is saved successfully. Key_Undo24.png Figure 3: Policy saved
    NOTE
    If the reversible period in the policy is updated with a new value, then this will not update the reversible period of the sensitive operations that are already performed with a previous reversible value.

Key Undo Policy State For Destroy and Delete Key

  • Destroyed state: The key is considered as destroyed in this state. The user has the option to cancel the destroy operation. This will be allowed until the time period specified in the "Key undo policy" after which the key will be permanently destroyed. When a key is in a destroyed state, the key material will be deleted, and it will retain only the key metadata. The key metadata has the following details:
    • Key name
    • Key type
    • Key description
    • The group that it belongs to
    • The enabled key operations
    • Created by user
    • Expiration date if available
    • All its activity logs
    If the "key destroy" operation is canceled, then the key material will be retained.
  • Deleted state: In the “Deleted” state the key which was in the “Destroyed” state will be permanently deleted manually or automatically along with the key metadata. At this time, there will not be any trace left of that key in Fortanix DSM, however, all such actions will be audited as part of audit logs. A key can also be directly deleted without entering the destroyed state. 

Destroy Security Objects with Reversible Period Configuration

To destroy a Fortanix DSM key with reversible period configuration:

  1. Go to the detailed view of the security object and click the DESTROY KEY button. Key_Undo3.png Figure 4: Destroy security object
  2. In the DESTROY KEY confirmation window, click the check box(es) which is a warning that a user should read and select before destroying the security object. Once this check box(es) are selected, it will enable the DESTROY button. You can see the time period until which the key destroy operation will be reversible.
    NOTE
    If the Security Object had a quorum approval set, then an Approval Request will be initiated once you click the DESTROY button in the window below.
    Key_Undo4.pngFigure 5: Destroy security object
  3. Click DESTROY to enter the “destroyed” state. The user also has an option to “Cancel” the Key Destroy operation using the CANCEL button.
  4. You could also start the key destroy process for a key from the SO table view. Select the security object and click the DESTROY SELECTED button. Key_Undo5.pngFigure 6: Destroy security object from table view Key_Undo7.pngFigure 7: Key in a destroyed state in SO table view
    Hover on the key to see that the key is in the “Destroyed” state. Notice that the color of the destroyed key icon is black Key_Undo25.png to indicate that the key is destroyed but the action is reversible until a certain period.
  5. You will now see an indicator on top of the Security Object detailed view page which shows that the key is destroyed and the time period until which the “Key Destroy” operation can be reversed. You can cancel the “Key Destroy” operation using the CANCEL CHANGE
    NOTE
    If the group that the security object belongs to has a Quorum Policy set, then the “Cancel Change” action will initiate a quorum approval request to confirm the “Key destroy cancel” operation.
    Key_Undo8.pngFigure 8: Reversible key destroyed state
  6. Once the time period to reverse the “Destroyed” state of the key completes, the action cannot be undone.
    NOTE
    When a security object is in a “destroyed” state with reversible period configuration, the user can still choose to delete it using the DELETE KEY button (Figure 8). The delete operation will now enter a reversible period until which the delete operation can be canceled.
    Key_Undo26.pngFigure 9: Entering delete security object state
  7. To delete the key metadata permanently, click the DELETE KEY Since the "Key undo policy" is active, the key delete operation is reversible until the specified time period.
    NOTE
    If the group that the security object belongs to has a Quorum Policy set, then the “Cancel Change” action will initiate a quorum approval request to confirm the “Key delete cancel” operation.
    Key_Undo9.pngFigure 10: Purge key metadata confirmation
  8. In the DELETE SECURITY OBJECT window, select the check boxes to confirm that you do not need the key metadata anymore and want to delete the key permanently. Once the check boxes are selected it will enable the PROCEED
  9. Click the PROCEED You will now see an indicator on top of the Security Object detailed view page that shows that the key is deleted and the time period until which the “Key Delete” operation can be reversed. You can cancel the “Key Delete” operation using the CANCEL CHANGE button. Key_Undo23.pngFigure 11: Cancel key delete
  10. The key deletion now enters the “pending deletion” state. Key_Undo10.pngFigure 12: Key deleted
    Now, the key will be automatically deleted once the time period to reverse the “Deleted” state of the key elapses.

Remove Private Key with Key Undo Policy

If the "Key undo policy" is set at the group level, when you click the REMOVE PRIVATE KEY button from the detailed view of a key, the Private Key is removed, and the removal operation becomes reversible until the time period set in the policy. Key_Undo11.pngFigure 13: Remove private key

  1. Click YES, REMOVE to confirm the private key removal operation. Key_Undo12.png
                                        Figure 14: Confirm private key removal
  2. A key whose private key is removed is represented as Key_Undo27.png. Notice on the top of the screen that you have an option to reverse the private key removal operation using the CANCEL CHANGE button. Key_Undo13.pngFigure 15: Cancel private key removal
  3. Once the time elapses to revert the Private Key removal operation, the Private Key will be permanently removed.

Deactivate and Compromise Key with Key Undo Policy

If the "Key undo policy" is set at the group level, when you click the DEACTIVATE NOW button from the detailed view of a key, the deactivate key/compromise operation becomes reversible until the time period set in the policy.

If the key is compromised, then select the check box The key has been compromised.

  1. Click DEACTIVATE button to confirm the key deactivation/compromise. Key_Undo14.pngFigure 16: Deactivate key Key_Undo15.png
                                   Figure 17: Confirm key deactivation/compromise
  2. A deactivated key is represented in grey colour Key_Undo16.png and a compromised key is represented in red colour Key_Undo22.png.
    Notice on the top of the screen that you have an option to reverse the key deactivation/compromise operation using the CANCEL CHANGE button. Key_Undo17.pngFigure 18: Cancel key deactivation/compromise
  3. Once the time elapses to revert the Key deactivation/compromise operation, the key will be permanently deactivated/compromised and cannot be used for applying cryptographic protection such as encrypt, signing, wrapping, MACing, and deriving. It can only be used to process cryptographically-protected information such as decrypt, signature verify, unwrap, and MAC verify. The key will also be permanently compromised if the “This key has been compromised” option was selected.

Remove Key Operations with Key Undo Policy

In the "Key undo policy" set at the group level, when you click the EDIT PERMISSIONS button from the detailed view of a key and remove some of the key operations, then the key operations removal becomes reversible until the time period set in the policy.

  1. Remove the required permissions and click the SAVE button to confirm the key operations removal. Key_Undo18.pngFigure 19: Remove key operations Key_Undo19.png
                                        Figure 20: Confirm key operations removal
  2. Notice on the top of the screen that you have an option to reverse the key operations removal using the CANCEL CHANGE button. Key_Undo20.pngFigure 21: Cancel key operations removal
  3. When the time elapses to revert the Key operation removal, the Key Operations will be permanently removed and cannot be reverted.

Multiple Key Reversible Changes with Key Undo Policy

If there are multiple reversible changes made on a key that has a “Key undo policy” configured, then the following rule applies when you click CANCEL CHANGES to cancel the reversible changes for a key:

  • All reversible change requests performed on and after the time period of the current “Cancel Change” selection will be canceled. Key_Undo21.pngFigure 22: Cancel reversible changes
    In the example above: All reversible change requests on and after “April 28th 2021, 12:26 pm” will be cancelled.
Was this article helpful?
0 out of 0 found this helpful