11 Keys, Key Policies, and Key Groups

Understand the difference between keys, key policies, and key groups to properly configure and manage OKM.

Keys are the actual key values (key material) and their associated metadata. Each KMA creates 1000 keys (default) when created. This may vary during installation. Each KMA controls and assigns its own keys. After issuing 10 keys the KMA creates 10 keys to replenish them. Keys are then replicated to all KMAs in the OKM.

Key policies define parameters that govern keys. This includes lifecycle parameters (such as encryption period and cryptoperiod) and import/export parameters (for example, import allowed, export allowed.)

Key groups associate keys and key policies. Each key group has a key policy and is assigned to agents. Agents are allowed to retrieve only the keys that are assigned to one of the agent's allowed key groups. Agents also have a default key group. When an agent creates a key (assigns it to a data unit), the key is placed into the agent's default key group.

Note:

For the system to function, you must define at least one key policy and one key group (assigned as the default key group) for all agents.

• About Key Lifecycles
• Manage Key Policies
• Manage Key Groups
• Manage Keys
• Transfer Keys Between Clusters