Create a Key Policy
The key policy defines a key's lifecycle. Create key policies before creating and delivering keys to agents.
The encryption period and cryptoperiod begin when the key is first
given to an agent. Once defined, the encryption period and cryptoperiod cannot be
changed for a policy. This is to avoid a change in the key policy from affecting large
numbers of keys.
Available to: Compliance Officer
- In the left navigation menu, expand Secure Information Management, and then select Key Policy List. Click Create...
- Complete the following:
- Key Policy ID — Identifies the policy (can be between 1 and 64 characters).
- Description — Describes the policy (can be between 1 and 64 characters, or leave this field blank).
- Encryption Period — How long keys associated with this key policy can be used to encrypt or decrypt data. The time interval units are: minutes, hours, days, week, months, or years.
- Cryptoperiod — How long keys associated with this key policy can be used to decrypt (but not encrypt) data. The time interval units are: minutes, hours, days, week, months, or years.
- Allow Export From — When checked, data unit keys associated with this key policy can be exported.
-
Allow Import To — When checked, data unit keys associated with this key policy can be imported.
- Allow Agents To Revoke Keys — When checked, allows agents using a key group that specifies this key policy can deactivate (revoke) the keys associated with them, even if the keys are in an operational state such as protect-and-process. The OKM cluster must use Replication Version 14 or later before this attribute can be set to True. Tape drive agents should use the default value (False). Applications using a pkcs11_kms provider (see OKM PKCS#11 Provider) should be configured to use an agent with a default key policy set to True if they want to call to revoke a key they will no longer use, such as in a re-key operation. ZFS encryption is an example of a pkcs11_kms application.
- Click Save. Key groups can now use the new key policy.