User's Guide: Key Undo Policy

Introduction

To stop accidental sensitive operations on keys, Fortanix Data Security Manager (DSM) allows a user to add a “Key undo policy”. When the policy is added, the keys will go through a 2-step process in which the sensitive operations can be undone until a waiting period set by the user before the changes become permanent. The maximum period until which the changes can be undone is 180 days. As a best practice, a minimum period of 7 days is recommended.  The following sensitive operations can be undone:

• Change group
• Delete and destroy key
• Deactivate and activate a key
• Mark a key as compromised
• Remove private key
• Remove sensitive key operations encrypt, decrypt, sign, verify, and so on.

Figure 1: Key undo policy

To add the "Key undo policy":

1. Go to the detailed view of a group and in the INFO tab, click ADD POLICY in the "Key undo policy" section.
2. Set the waiting period until which the sensitive operations are reversible under the Reversible Period Configuration section.
   NOTE

   By default, the Key reversible period is set to 7 days for all the sensitive operations listed above. The minimum waiting period during which a sensitive key operation is reversible is 7 days and the maximum period is 180 days. For Key Destroy operation once the key is destroyed the key metadata can be configured to be automatically or manually deleted.
   Figure 2: Configure key undo policy
3. The policy is saved successfully. 
   NOTE

   If the reversible period in the policy is updated with a new value, then this will not update the reversible period of the sensitive operations that are already performed with a previous reversible value.

Key Undo Policy State For Destroy and Delete Key

• Destroyed state: The key is considered as destroyed in this state. The user has the option to cancel the destroy operation. This will be allowed until the time period specified in the "Key undo policy" after which the key will be permanently destroyed. When a key is in a destroyed state, the key material will be deleted, and it will retain only the key metadata. The key metadata has the following details:
  • Key name
  • Key type
  • Key description
  • The group that it belongs to
  • The enabled key operations
  • Created by user
  • Expiration date if available
  • All its activity logs
  If the "key destroy" operation is canceled, then the key material will be retained.
• Deleted state: In the “Deleted” state the key which was in the “Destroyed” state will be permanently deleted manually or automatically along with the key metadata. At this time, there will not be any trace left of that key in Fortanix DSM, however, all such actions will be audited as part of audit logs. A key can also be directly deleted without entering the destroyed state. 

Destroy Security Objects with Reversible Period Configuration

To destroy a Fortanix DSM key with reversible period configuration:

1. Go to the detailed view of the security object and click the DESTROY KEY button. Figure 4: Destroy security object
2. In the DESTROY KEY confirmation window, click the check box(es) which is a warning that a user should read and select before destroying the security object. Once this check box(es) are selected, it will enable the DESTROY button. You can see the time period until which the key destroy operation will be reversible.
   NOTE

   If the Security Object had a quorum approval set, then an Approval Request will be initiated once you click the DESTROY button in the window below.
   Figure 5: Destroy security object
3. Click DESTROY to enter the “destroyed” state. The user also has an option to “Cancel” the Key Destroy operation using the CANCEL button.
4. You could also start the key destroy process for a key from the SO table view. Select the security object and click the DESTROY SELECTED button. Figure 6: Destroy security object from table view Figure 7: Key in a destroyed state in SO table view
   Hover on the key to see that the key is in the “Destroyed” state. Notice that the color of the destroyed key icon is black to indicate that the key is destroyed but the action is reversible until a certain period.
5. You will now see an indicator on top of the Security Object detailed view page which shows that the key is destroyed and the time period until which the “Key Destroy” operation can be reversed. You can cancel the “Key Destroy” operation using the CANCEL CHANGE
   NOTE

   If the group that the security object belongs to has a Quorum Policy set, then the “Cancel Change” action will initiate a quorum approval request to confirm the “Key destroy cancel” operation.
   Figure 8: Reversible key destroyed state
6. Once the time period to reverse the “Destroyed” state of the key completes, the action cannot be undone.
   NOTE

   When a security object is in a “destroyed” state with reversible period configuration, the user can still choose to delete it using the DELETE KEY button (Figure 8). The delete operation will now enter a reversible period until which the delete operation can be canceled.
   Figure 9: Entering delete security object state
7. To delete the key metadata permanently, click the DELETE KEY Since the "Key undo policy" is active, the key delete operation is reversible until the specified time period.
   NOTE

   If the group that the security object belongs to has a Quorum Policy set, then the “Cancel Change” action will initiate a quorum approval request to confirm the “Key delete cancel” operation.
   Figure 10: Purge key metadata confirmation
8. In the DELETE SECURITY OBJECT window, select the check boxes to confirm that you do not need the key metadata anymore and want to delete the key permanently. Once the check boxes are selected it will enable the PROCEED
9. Click the PROCEED You will now see an indicator on top of the Security Object detailed view page that shows that the key is deleted and the time period until which the “Key Delete” operation can be reversed. You can cancel the “Key Delete” operation using the CANCEL CHANGE button. Figure 11: Cancel key delete
10. The key deletion now enters the “pending deletion” state. Figure 12: Key deleted
    Now, the key will be automatically deleted once the time period to reverse the “Deleted” state of the key elapses.

Remove Private Key with Key Undo Policy

If the "Key undo policy" is set at the group level, when you click the REMOVE PRIVATE KEY button from the detailed view of a key, the Private Key is removed, and the removal operation becomes reversible until the time period set in the policy. Figure 13: Remove private key

1. Click YES, REMOVE to confirm the private key removal operation.
                                       Figure 14: Confirm private key removal
2. A key whose private key is removed is represented as . Notice on the top of the screen that you have an option to reverse the private key removal operation using the CANCEL CHANGE button. Figure 15: Cancel private key removal
3. Once the time elapses to revert the Private Key removal operation, the Private Key will be permanently removed.

Deactivate and Compromise Key with Key Undo Policy

If the "Key undo policy" is set at the group level, when you click the DEACTIVATE NOW button from the detailed view of a key, the deactivate key/compromise operation becomes reversible until the time period set in the policy.

If the key is compromised, then select the check box The key has been compromised.

1. Click DEACTIVATE button to confirm the key deactivation/compromise. Figure 16: Deactivate key
                                  Figure 17: Confirm key deactivation/compromise
2. A deactivated key is represented in grey colour and a compromised key is represented in red colour .
   Notice on the top of the screen that you have an option to reverse the key deactivation/compromise operation using the CANCEL CHANGE button. Figure 18: Cancel key deactivation/compromise
3. Once the time elapses to revert the Key deactivation/compromise operation, the key will be permanently deactivated/compromised and cannot be used for applying cryptographic protection such as encrypt, signing, wrapping, MACing, and deriving. It can only be used to process cryptographically-protected information such as decrypt, signature verify, unwrap, and MAC verify. The key will also be permanently compromised if the “This key has been compromised” option was selected.

Remove Key Operations with Key Undo Policy

In the "Key undo policy" set at the group level, when you click the EDIT PERMISSIONS button from the detailed view of a key and remove some of the key operations, then the key operations removal becomes reversible until the time period set in the policy.

1. Remove the required permissions and click the SAVE button to confirm the key operations removal. Figure 19: Remove key operations
                                       Figure 20: Confirm key operations removal
2. Notice on the top of the screen that you have an option to reverse the key operations removal using the CANCEL CHANGE button. Figure 21: Cancel key operations removal
3. When the time elapses to revert the Key operation removal, the Key Operations will be permanently removed and cannot be reverted.

Multiple Key Reversible Changes with Key Undo Policy

If there are multiple reversible changes made on a key that has a “Key undo policy” configured, then the following rule applies when you click CANCEL CHANGES to cancel the reversible changes for a key:

• All reversible change requests performed on and after the time period of the current “Cancel Change” selection will be canceled. Figure 22: Cancel reversible changes
  In the example above: All reversible change requests on and after “April 28th 2021, 12:26 pm” will be cancelled.