Available in Classic and VPC
Key status
In Key Management Service, keys have a series of states from creation to final deletion, which is called the key lifecycle. The key lifecycle is managed by the key administrator. For more information about key status over the life cycle, see Key Management Service concepts.
As keys are used, they are rotated according to set intervals, and up to 100 versions can be created per key. The key's state is inherited by all versions. For example, if the status of a key with 3 versions is switched to disabled, all 3 versions are disabled. When the key is reactivated, each version is automatically restored to its previous state. For more information about key versions and rotation, see Key version management.
Each status of a key is described below.
-
Creation
When a key creation request occurs, the key is safely generated according to key management recommendations and assigned a unique identifier. Created keys are securely stored in encrypted storage, and a backup point is created for emergency. -
Available
A key that can be used for all encryption/decryption requests. Created keys are automatically enabled and put into the available state, and can be disabled at any time to stop using them. Keys in the available state are subject to billing for management. -
Disabled disable
Ad key that can be reactivated at any time. Keys in a disabled state still follow the rotation cycle and are updated to a new version on the next rotation date. Disabled keys cannot be used for encryption/decryption requests, but management costs are still incurred. -
Scheduled for deletion
These are keys that are no longer in use and have been scheduled for deletion by the user to prevent misuse and reduce unnecessary maintenance/management. After 72 hours from the deletion request, the key is permanently deleted and cannot be recovered. When requesting deletion, carefully verify that there are no users. However, you can cancel the deletion request before final deletion, and a key with a canceled deletion request is immediately placed in a disabled status. Keys in the scheduled for deletion state also follow the rotation cycle and are subject to management charges. If there are no users, you can also click the [Delete immediately] button to process the deletion right away. -
Deletion
When a key is finally deleted, the Raw key is zeroed out (Zeroisation), and the operational history of the key resource and usage history information maintained in Key Management Service are immediately deleted. However, usage history that has been externally transmitted is not discarded. For example, if key usage history was backed up to Object Storage through integration with Cloud Log Analytics, the already transmitted usage history will not be deleted even after the key's final deletion. Finally deleted keys cannot be recovered under any circumstances.
The availability of basic features varies depending on the key status. The information of available basic features by status is as follows.
| Manage key permissions | Rotate keys | Disable/enable keys | Request key deletion/cancel key deletion | View key history | |
|---|---|---|---|---|---|
| Available | O | O | Disable O | O | O |
| Disabled | O | X | Enable O | O | O |
| Request deletion | X | X | X | Cancel key deletion O | O |
| Delete | - | - | - | - | - |
Key status must be managed critically, and status change functions like disable/enable and deletion requests should be handled with caution. Since continuous user monitoring is required to maintain key status securely, when key status changes, the console sends notification emails to sub-accounts with relevant permissions. Through this, users can check key status in real-time.
Disable/enable keys
To respond to various events such as unfortunate incidents or operational circumstances while using an encrypted key, the key can be temporarily disabled without deletion. Key administrators can control key usage in real-time by using the key status change function to change keys to inactive state or reactivate them to active state. Follow these steps to change key status:
- Click Services > Security > Key Management Service > Key menu in order.
- Select the key whose status you want to change and proceed with settings.
- If you want to change the active status to disabled: click the [Disable keys] button.
- Disable keys popup window: if the key to be disabled has a usage history, check the recent usage history in the pop-up window and click the [Disable] button.
- If you want to change the disabled status to active status: click the [Enable keys] button. Caution is needed when deactivating a key that has usage history. (Recent usage history refers to APIs usage history.)
- If you want to change the active status to disabled: click the [Disable keys] button.
- Check the changed key status in the key list.
- Disabled: a key that has been disabled and is no longer in use, and can be reactivated at any time to return it to the available state. To remain available at all times, keys in the disabled state follow a rotation cycle
- Available: a key that can be used for all encryption/decryption requests