User's Guide: Key Undo Policy

1.0 Introduction

This article describes the Fortanix-Data-Security-Manager (DSM) Key Undo Policy feature.

It also contains the information related to:

• Configuring Key undo policy for a group.

• Destroy and delete security objects with reversible period configuration.

• Remove private key with Key undo policy.

• Deactivate and compromise key with Key undo policy.

• Remove key operations with Key undo policy.

• Multiple key reversible changes with Key undo policy.

2.0 Key Undo Policy

To prevent accidental execution of sensitive operations on keys, Fortanix DSM allows users to configure a Key undo policy. When enabled, this policy enforces a two-step process for sensitive key operations. During this process, actions can be undone within a user-defined waiting period before becoming permanent.

• The maximum allowed waiting period is 180 days.

• A minimum of 7 days is recommended as a best practice.

This safeguard provides administrators a grace window to review or reverse unintended actions before finalization.

The following sensitive operations can be reversed during the undo window defined by the Key undo policy:

• Change group

• Delete and destroy key

• Deactivate and activate a key

• Mark a key as compromised

• Remove private key

• Remove sensitive key operations such as encrypt, decrypt, sign, verify, and so on.

NOTE

You do not need to configure a group Quorum approval policy to enable a Key undo policy. However, if a group Quorum approval policy is already in place, Fortanix DSM generates a quorum approval request when you establish the Key undo policy.

2.1 Adding a Key Undo Policy

Perform the followings steps to add the Key undo policy:

1. Go to the detailed view of a Fortanix DSM group, and in the INFO tab, click ADD POLICY for Key undo policy.

2. Set the waiting period until which the sensitive operations are reversible under the Reversible Period Configuration section.

   NOTE

   By default, the Key reversible period is set to 7 days for all the sensitive operations listed above. The minimum waiting period during which a sensitive key operation is reversible is 7 days and the maximum period is 180 days. For Key Destroy operation once the key is destroyed the key metadata can be configured to be automatically or manually deleted.

   

3. Click SAVE POLICY to save the policy.

   NOTE

   If the reversible period in the policy is updated with a new value, then this will not update the reversible period of the sensitive operations that are already performed with a previous reversible value.

3.0 Key Undo Policy State For Destroy and Delete Key

• Destroyed state: The key is considered as destroyed in this state. The user has the option to cancel the destroy operation. This will be allowed until the time period specified in the Key undo policy after which the key will be permanently destroyed. When a key is in a destroyed state, the key material will be deleted, and it will retain only the key metadata. The key metadata has the following details:

  • Key name

  • Key type

  • Key description

  • The group that it belongs to

  • The enabled key operations

  • Created by user

  • Expiration date if available

  • All its activity logs

  If the "key destroy" operation is canceled, then the key material will be retained.

• Deleted state: In the “Deleted” state the key which was in the “Destroyed” state will be permanently deleted manually or automatically along with the key metadata. At this time, there will not be any trace left of that key in Fortanix DSM, however, all such actions will be audited as part of audit logs. A key can also be directly deleted without entering the destroyed state. 

3.1 Destroy Security Objects with Reversible Period Configuration

Perform the following steps to destroy a Fortanix DSM key with reversible period configuration:

1. Go to the detailed view of the security object, scroll to the bottom of the screen and click DESTROY KEY.

   

   Alternatively, you can select the key you want to destroy from the security objects table, and then click DESTROY SELECTED from the top navigation bar.

   

2. In the Destroy key confirmation dialog box, select the check boxes to confirm your understanding about the action before destroying the security object. Click PROCEED.

   This initiates the key destruction process and places the key in a reversible “destroyed” state. Based on the configured Key undo policy, the dialog box also displays the time period during which the destruction can be reversed.

   NOTE

   If the security object's group has a Quorum approval policy enabled, Fortanix DSM generates a quorum approval request when you click PROCEED.

3. After you initiate destruction of a security object, a Key Undo Policy – Reversible Changes table appears at the top of the screen. This table logs reversible actions and displays the following:

   • OCCURRED ON: Specifies the timestamp of the destruction event.

   • CANCEL CHANGES BY: Specifies the time period until which the destruction can be undone.

   • CANCEL CHANGE: This button allows you to reverse the key destruction operation within the configured undo window. To cancel the destroy action, click CANCEL CHANGE. In the Cancel changes confirmation dialog box, click PROCEED to confirm the reversal.

   NOTE

   If the security object's group has a Quorum approval policy enabled, Fortanix DSM generates a quorum approval request when you perform the CANCEL CHANGE action to reverse the key destruction.

   

4. Hover over the key to view its status as destroyed. The destroyed key icon appears as , indicating that the key is in a reversible state until the configured Key undo policy period expires.

   

5. After the reversible period for the Destroyed state expires, you cannot undo the destroy operation and the key will be permanently destroyed.

3.2 Delete Security Objects with Reversible Period

When a security object is in the Destroyed state with a configured reversible period, you can initiate a permanent delete by clicking DELETE KEY. The delete operation will then enter its own reversible period, during which the key deletion can be canceled.

To permanently delete the key metadata, click DELETE KEY. If a Key undo policy is active, the delete operation remains reversible until the configured expiration time.

Perform the following steps to delete the key:

1. Go to the detailed view of the security object, scroll to the bottom of the screen and click DELETE KEY.

   

   Alternatively, you can select the key you want to delete from the security objects table, and then click DELETE SELECTED from the top navigation bar.

   

2. In the Delete key confirmation dialog box, select the check box to acknowledge the warning before deleting the security object. Click PROCEED.

   This initiates the key deletion process and places the key in a reversible “deleted” state. Based on the configured Key undo policy, the dialog box also displays the time period during which the deletion can be reversed.

   NOTE

   If the security object's group has a Quorum approval policy enabled, Fortanix DSM generates a quorum approval request when you click PROCEED.

3. After you initiate deletion of a destroyed security object, a Key Undo Policy – Reversible Changes table appears at the top of the screen. This table logs reversible actions and displays the following:

   • OCCURRED ON: Specifies the timestamp of the deletion event.

   • CANCEL CHANGES BY: Specifies the time period until which the deletion can be undone.

   • CANCEL CHANGE: This button allows you to reverse the key deletion operation within the configured undo window. To cancel the delete action, click CANCEL CHANGE. In the Cancel changes confirmation dialog box, click PROCEED to confirm the reversal.

   NOTE

   If the security object's group has a Quorum approval policy enabled, Fortanix DSM generates a quorum approval request when you perform the CANCEL CHANGE action to reverse the key deletion.

   

4. Hover over the key to view its status as pending deletion. The deleted key warning icon appears as , indicating that the key is in a pending state and reversible state until the configured reversible period expires in the Key undo policy.

   

5. After the reversible period for the Deleted state expires, you cannot undo the delete operation and the key will be permanently deleted.

4.0 Remove Private Key with Key Undo Policy

When the Key undo policy is configured at the group-level, Fortanix DSM allows you to make private key removal reversible for the duration specified in the policy.

Perform the following steps to delete the private key:

1. Go to the detailed view of the security object for which you want to remove the private key.

2. In the INFO tab, click REMOVE PRIVATE KEY.

3. In the Remove private key confirmation box, click YES, REMOVE to confirm the private key removal operation.

   This initiates the removal of private key process and places the key in a reversible “removal” state. Based on the configured Key undo policy, the dialog box also displays the time period during which the removal can be reversed.

   NOTE

   If the security object's group has a Quorum approval policy enabled, Fortanix DSM generates a quorum approval request when you click YES, REMOVE.

4. After you initiate removal of a private key, a Key Undo Policy – Reversible Changes table appears at the top of the screen. This table logs reversible actions and displays the following:

   • OCCURRED ON: Specifies the timestamp of the private key removal event.

   • CANCEL CHANGES BY: Specifies the time period until which the private key removal can be undone.

   • CANCEL CHANGE: This button allows you to reverse the private key removal operation within the configured undo window. To cancel the private key removal action, click CANCEL CHANGE. In the Cancel changes confirmation dialog box, click PROCEED to confirm the reversal.

   NOTE

   If the security object's group has a Quorum approval policy enabled, Fortanix DSM generates a quorum approval request when you perform the CANCEL CHANGE action to reverse the private key removal.

   

5. Hover over the key to view its status as private key removed. The deleted private key warning icon appears as , indicating that the private key has been removed but the operation remains reversible until the configured reversible period expires in the Key undo policy.

   

6. After the reversible period for the private key removal state expires, you cannot undo the remove operation and the private key removals becomes permanent.

5.0 Deactivate and Compromise Key with Key Undo Policy

When the Key undo policy is configured at the group-level, Fortanix DSM allows you to deactivate or mark a key as compromised with the option to reverse the action for the duration specified in the policy.

Perform the following steps to deactivate or compromise a key:

1. Navigate to the detailed view of the security object and click DEACTIVATE NOW.

   

2. In the Deactivation window, select the check box to acknowledge the warning before deactivating the security object. Additionally, select The key has been compromised check box, if the key is compromised. Click SAVE.

   This initiates the key deactivation process and places the key in a reversible “deactivate” state. Based on the configured Key undo policy, the dialog box also displays the time period during which the deactivation can be reversed.

   NOTE

   If the security object's group has a Quorum approval policy enabled, Fortanix DSM generates a quorum approval request when you click SAVE.

   

3. After you initiate deactivation of a security object, a Key Undo Policy – Reversible Changes table appears at the top of the screen. This table logs reversible actions and displays the following:

   • OCCURRED ON: Specifies the timestamp of the key deactivation event.

   • CANCEL CHANGES BY: Specifies the time period until which the key deactivation can be undone.

   • CANCEL CHANGE: This button allows you to reverse the key deactivation operation within the configured undo window. To cancel the deactivate action, click CANCEL CHANGE. In the Cancel changes confirmation dialog box, click PROCEED to confirm the reversal.

   NOTE

   If the security object's group has a Quorum approval policy enabled, Fortanix DSM generates a quorum approval request when you perform the CANCEL CHANGE action to reverse the key deactivation.

   

   

4. Hover over the key to view its status as deactivate or compromised. The deactivated key warning icon appears as , whereas the compromised key warning icon appears as . These icons signify that the key is in a deactivated or compromised state respectively, and the operation remains reversible until the configured reversible period expires in the Key undo policy.

   

   

5. After the reversible period for the key deactivation or compromise state expires, you can no longer undo the operation.

   • A deactivated or compromised key cannot be used for applying cryptographic protections such as encryption, signing, wrapping, MACing, or key derivation.

   • It can only be used for processing cryptographically protected data, including decryption, signature verification, unwrapping, and MAC verification.

   • If the This key has been compromised option was selected during deactivation, the key is marked as permanently compromised.

5.1 Remove Key Operations with Key Undo Policy

When the Key undo policy is configured at the group level, Fortanix DSM allows key operation removals to remain reversible for the duration specified in the policy.

Perform the following steps to remove key operations:

1. Go to the detailed view of the security object and click EDIT PERMISSIONS.

   

2. Update the required Key operations permitted and click SAVE to confirm the changes.

3. On the Restrict key operations confirmation window, click SAVE CHANGES to confirm the action.

   This initiates the key operation permission removal process and places the key in a reversible “restricted operations” state. Based on the configured Key undo policy, the dialog box also displays the time period during which the key permitted operations can be reversed.

   NOTE

   If the security object's group has a Quorum approval policy enabled, Fortanix DSM generates a quorum approval request when you click SAVE CHANGES.

4. After you initiate removal of key operations permitted, a Key Undo Policy – Reversible Changes table appears at the top of the screen. This table logs reversible actions and displays the following:

   • OCCURRED ON: Specifies the timestamp of the key operation removal event.

   • CANCEL CHANGES BY: Specifies the time period until which the operation removal can be undone.

   • CANCEL CHANGE: This button allows you to reverse the key operation removal within the configured undo window. To cancel the removal action, click CANCEL CHANGE. In the Cancel changes confirmation dialog box, click PROCEED to confirm the reversal.

   NOTE

   If the security object's group has a Quorum approval policy enabled, Fortanix DSM generates a quorum approval request when you perform the CANCEL CHANGE action to reverse the key operation removal.

   

5. After the reversible period for the operation removal state expires, you cannot undo the removal operation and the key operation will be permanently removed.

5.2 Multiple Key Reversible Changes with Key Undo Policy

If multiple reversible operations are performed on a key governed by a configured Key undo policy, the following rule applies when you click CANCEL CHANGES to revert a reversible action:

• All reversible change requests performed on or after the timestamp of the selected Cancel Change event will be reverted.

This ensures a cumulative rollback of changes made after a specific point in time.

For example,

If you select CANCEL CHANGE logged on April 29th 2025, 4:39 PM, then all reversible changes made on or after that timestamp will be cancelled together.