Available in Classic and VPC
Key status
In Key Management Service, keys have a series of states from creation to final deletion, which is called the key lifecycle. For more information on key status over the lifecycle, see Key Management Service concepts.
As keys are used, they are rotated according to set cycle, and up to 100 versions can be created per key. The key's state is inherited by all versions. For example, if the status of a key with 3 versions is transitioned to disabled, all 3 versions are disabled. When the key is reactivated, each version is automatically restored to its previous state. For more information on key versions and rotation, see Key version management.
The descriptions for each key status are as follows:
-
Creation
When a key creation request occurs, the key is safely generated according to key management recommendations and assigned a unique identifier. Created keys are securely stored in encrypted storage, and a backup point is created for emergency. -
Available
A key that can be used for all encryption/decryption requests. Created keys are automatically enabled and put into the available state, and can be disabled at any time to stop using them. Keys in the available state are subject to billing for management. -
Disabled
A key that has been disabled and can be reactivated at any time. Keys in a disabled state still follow the rotation cycle and are updated to a new version on the next rotation date. Disabled keys cannot be used for encryption/decryption requests, but management costs are still incurred. -
Requested for deletion
These are keys that are no longer in use and have been scheduled for deletion by the user to prevent misuse and reduce unnecessary maintenance/management. After 72 hours from the deletion request, the key is permanently deleted and cannot be recovered. When requesting deletion, carefully verify that there are no users. However, you can cancel the deletion request before final deletion, and a key with a canceled deletion request is immediately placed in a disabled status. Keys in the requested for deletion state also follow the rotation cycle and are subject to management charges. If there are no users, you can also click the [Delete immediately] button to process the deletion right away. -
Deleted
When a key is finally deleted, the Raw key is zeroed out (Zeroisation), and the operational history of the key resource and the usage history information maintained in Key Management Service is immediately deleted. However, usage history that has been externally transferred is not discarded. For example, if key usage history was backed up to Object Storage through integration with Cloud Log Analytics, the already transferred usage history is not deleted even after the key's final deletion. Finally deleted keys cannot be recovered under any circumstances.
The availability of basic features varies depending on the key status. The information of available basic features by status is as follows:
| Manage key permissions | Rotate keys | Disable/enable keys | Request key deletion/Cancel key deletion | View key history | |
|---|---|---|---|---|---|
| Available | O | O | Disable O | O | O |
| Disabled | O | X | Enable O | O | O |
| Requested for deletion | X | X | X | Cancel key deletion O | O |
| Deleted | - | - | - | - | - |
Key status must be managed carefully, and status change features like disable/enable and request for deletion should be handled with caution. Since continuous user monitoring is required to maintain key status securely, when key status changes, the console sends notification emails to sub accounts with relevant permissions. Through this, you can check the key status in real-time.
Disable/Enable key
To respond to various events such as unfortunate incidents or operational circumstances while using an encrypted key, the key can be temporarily disabled without deletion. The key admin can control the key usage in real-time by using the key status change feature to change key status to be disabled or enabled. To change key status:
- From the NAVER Cloud Platform console, navigate to
> Services > Security > Key Management Service > Key. - Select the key whose status you want to change and proceed with settings.
- If you want to change the enabled status to disabled, click [Disable key].
- Disable key popup: If the key to be disabled has a usage history, check the recent usage history in the popup and click [Disable].
- If you want to change the disabled status to enabled, click [Enable key]. Caution is needed when disabling a key that has usage history. (The recent usage history refers to the API usage history.)
- If you want to change the enabled status to disabled, click [Disable key].
- Check the changed key status in the key list.
- Disabled: A key that has been deactivated and is no longer in use, and can be reactivated at any time to return it to the Available state. To remain available at all times, keys in the Disabled state follow a rotation cycle.
- Available: Can be used for all encryption/decryption requests.