This chapter contains the following topics:
About keys groups
Creating a key group
Creating a key
Revoking a key
About keys groups
A key group is a collection of key management settings. Using encryption, an administrator applies a key group to a policy to protect assets. A key group can apply to multiple policies and a policy must use only one key group. A key manager is a provider of key material storage or cryptographic operations. The Blue Coat Cloud Data Protection Server supports Voltage, SafeNet, and the proprietary key manager available with the Blue Coat Cloud Data Protection Server
Key Management is available to system administrators and key group managers.
About encryption key life cycle
The encryption key life cycle contains two periods. The originator usage period is the time after a key is assigned that it can be used to encrypt data. The recipient usage period is the time period that a key can be used for decryption. Note that both originator and recipient usage period start at the same time, when the key is assigned.
The following image shows the key lifecycle:
Managing keys groups 29 For each new key group, one encryption key gets created. An administrator activates the encryption key.
In general cases, the Blue Coat Cloud Data Protection Server takes care of key rotation according to the originator usage period and administrators don't need to change the key states manually. When a key expires at the end of originator usage period, the system generates and activates the new key. Auto-generated keys are automatically put in active state.The old key remains in the active state so that data encrypted with this key can be decrypted. Keys must be in active state to allow decryption operations.
In all cases, the most recently activated key is used for encryption operations. The most recently activated key is highlighted as shown in the following image.
When the recipient period expires for a key or when the user manually de-activates the key, the key enters “deactivated” state. In this state, the key cannot be used for encryption or decryption operations.
When the key is deemed compromised, an administrator can revoke the key. In that state the key will not be available for decryption operations. Keys that are either deactivated or revoked can be destroyed.
Note: In the Management Console, when an administrator manually deactivates or revokes a key, the key is not available to be used for either encryption or decryption operations. Any existing data encrypted with the key is not be decrypted and will appear unreadable.
Creating a key group
To create a key group, you must specify a key group name and description, and associate a key group profile with the key group. A key group profile can be associated with multiple key groups. A key group must be associated with only one key group profile.
To create a new key group
1. From the Management Console, select Encryption, Key Groups, Add New Key Group profile.
2. In KEY GROUP PROPERTIES, in Name and in Description, provide a name and, optionally, a brief description for the key group. In State, select Enabled to make the key group active.
Managing keys groups 30 Otherwise, select Disabled.
3. In KEY SPECIFICATION, specify the following values.
a. Select a Key Manager from the list of registered managers.
b. In Default Algorithm, select a default algorithm from the list of algorithms supported by the selected key manager.
c. In Default Key Length, select a default key length from the list of supported key lengths for the selected algorithm.
d. In Initialization Vector Policy, select an initialization vector policy from the list of supported initialization vector generation options.
The following image shows sample values.
4. In CRYPTOGRAPHIC PERIODS, specify the following values.
a. In Originator Usage, specify an originator usage period for keys generated in the key group. The originator usage period is the time after a key is assigned that it can be used to encrypt data.
b. In Originator Usage Period, select the duration type. Available options are Minutes, Hours, Days, Weeks, Months, and Years.
c. In Recipient Usage, specify a recipient usage period for keys generated in the key group.
The recipient usage period is the time period that a key can be used for decryption.
d. In Recipient Usage Period, select the duration type. Available options are Minutes, Hours, Days, Weeks, Months, and Years.
Managing keys groups 31 The following image shows sample settings. Note that both originator and recipient usage period start at the same time, when the key is assigned.
The following image shows property setting for a new key group.
The key group appears in Key Management, as shown in the following image.
Creating a key
In Management Console, select Key Groups from the left menu. In the available Key Group Profiles, select the view icon beside key group that you want to create a key for. Select View icon in Actions column for the Key Group. By default, one key is created by the system for all new key groups. You can choose to Activate that key by selecting the green Activate icon in Actions column as shown in the image
Managing keys groups 32 below.
After activating, the key State changes to ACTIVE and the current active key is shown:
When a key expires at the end of originator usage period, the system generates and activates a new key.
Auto-generated keys are automatically put in active state.The old key remains in the active state so that data encrypted with this key can be decrypted.
In all cases, the most recently activated key is used for encryption operations. The most recently activated key is highlighted and its name appears on the top of the list of keys as shown in the following image.
Managing keys groups 33
Editing a Key Group
When editing a key group, the changes an administrator makes in the Key Group affect only the new keys created after editing the Key Group. The existing key(s), if active and suitable for encryption and
decryption, would still use the previous Key Group settings that existed at the time of key creation.
Managing data protection policies 34