View Data Unit Key Details

View a list of keys used by data units.

Available to: All roles, Operator (can change In Use By Data Unit checkbox)
  1. From the Data Units menu, select Data Unit List.
  2. Select a data unit, and then click Details...
  3. Click the Key List tab (see below for a description of field).
  4. Select a key, and then click Details...
  5. If the Replication Version is at least 14, the Operator can change the In Use By Data Unit check box that indicates the relationship between this key and its associated data unit. Selecting this check box can help when a key policy that is used by tape drive agents is inadvertently updated to enable its Allow Agents To Revoke Keys attribute. See View and Modify Key Policies for a description of this attribute.

Key List - Field Descriptions

The following are descriptions of the fields within the Key List of OKM Manager.

  • Data Unit ID - Uniquely identifies the data unit.
  • Data Unit Description - Describes the data unit.
  • Key ID - Key information for the data unit.
  • Key Type - The type of encryption algorithm that this key uses. The only possible value is AES-256.
  • Created Date - Date and time when the key was created.
  • Activation Date - Date and time when the key was activated. This is the date and time when the key was first given to an agent. It is the starting date and time for the key's encryption period and cryptoperiod.
  • Destroyed Date - Date when the key was destroyed. If the field is blank, then the key is not destroyed.
  • Destruction Comment - User-supplied information about the destruction of the key. If the field is blank, then the key is not destroyed.
  • Exported - If true, the key has been exported.
  • Imported - If true, the key has been imported.
  • Derived - If true, the Key has been derived from a Master Key generated by the Master Key Provider.
  • Revoked - If true, the key(s) associated with the data unit has been revoked by an agent. See View and Modify Key Policies. If the KMA to which the OKM GUI is connected runs OKM 2.5.2 or higher but the OKM cluster currently uses Replication Version 13 or earlier, then this attribute is shown as "(Unknown)."
  • Key Group - Key group associated with the data unit.
  • Encryption End Date - Date and time when the key will no longer be used or was stopped from being used for encrypting data.
  • Deactivation Date - Date and time when the key will be or was deactivated.
  • Compromised Date - Date when the key was compromised. If the field is blank, then the key is not compromised.
  • Compromised Comment - User-supplied information about compromising the key. If the field is blank, then the key is not compromised.
  • Key State - Data unit's key state. Possible values are:
    • Generated — Set when the key has been created on one KMA in a OKM cluster. It remains generated until it has been replicated to at least one other KMA in a multi-OKM cluster. In a cluster with only a single KMA, the key remains generated until it has been recorded in at least one backup.
    • Ready — Set when the key has been protected against loss by replication or a backup. A ready key is available for assignment.
    • Protect and Process — Set when the key has been assigned when an encryption agent requests a new key be created. A key in this state can be used for both encryption and decryption.
    • Process Only — Set when the key has been assigned but its encryption period has expired. A key in this state can be used for decryption but not for encryption.
    • Deactivated — Set when the key has passed its cryptoperiod but may still be needed to process (decrypt) information.
    • Compromised — Set when the key has been released to or discovered by an unauthorized entity. A key in this state can be used for decryption but not for encryption.
    • Incompletely Destroyed — Set when the key has been destroyed but it still appears in at least one backup.
    • Completely Destroyed — Set when all of the backups in which the destroyed key appears have been destroyed.
    • Compromised and Incompletely Destroyed — Set when the compromised key still appears in at least one backup.
    • Compromised and Completely Destroyed — Set when all of the backups in which the compromised key appears have been destroyed.
  • Recovery Activated - Indicates whether the key has been linked to the data unit by a recovery action.
    • This condition occurs when a key is used for a data unit by one KMA in a OKM cluster and then, due to a failure, the key is later requested for the data unit from a different KMA. If the failure (such as a network outage) has prevented the allocation of the key to the data from being propagated to the second KMA, the second KMA creates the linkage to the data unit. Such a key is "recovery activated," and an administrator may want to evaluate the system for KMA or network outages. Possible values are True and False.