Securosys365 - Key Management

With Securosys365 - DKE, you can manage HSM protected keys directly on the Securosys365 - Cockpit.

In this guide we will modify existing keys and explain DoubleKeyEncryption key-lifecycle mechanisms.

• Key States
• Create key
• Block Key (usage)
• Delete key
• Key attestation

Login into the Securosys365 - DKE

• Login to Securosys365 - DKE Cockpit
• Key Management: Open the Tab Keys Securosys365 - Key Management

Vaults

A Vault is a logical connection to a Securosys CloudHSM KeyStore (Partition).
It provides a dedicated keystore space that only you can access — ensuring isolation, security, and full control over your cryptographic keys.

Learn more:

• Definitions - Vault
• Securosys CloudHSM Overview

Key States

The DKE-Key states follow the NIST SP 800-57 - Recommendation for Key Management, specifically Chapter 7: Key States and Transitions.

For detailed definitions, refer to Definitions - Key States.

Key States

Please carefully review the following diagram.
Important: Certain operations may permanently render the DKE-Key and any associated encrypted content inaccessible!

Creating a Key

To create a key, please follow the instructions under 1. Create Key and DKE Web Service.

Important Guidelines:

• Only generate RSA 2048 keys.
• Set the initial key state to either Pre-Active or Active if the key will be used for DoubleKeyEncryption.
• Ensure the following key attributes:
  • Usage: Decrypt
  • Enabled: True

Failure to configure these attributes correctly will prevent the key from being usable for decryption operations.

Here’s a much cleaner and more professional version of your text — I've corrected typos, improved flow, made warnings clearer, and aligned the style with your previous section:

---

Blocking a Key (Usage)

To block a key, click Actions next to the key you wish to block, then select Edit.

You have two options — choose carefully:

• Temporarily block the key (the key can be unblocked later)
• Permanently deactivate or compromise the key (the key cannot be unblocked later)

---

Temporarily Blocking a Key

To temporarily prevent a key from being used for decryption operations, toggle the Enabled switch off.

Important:
Do not change the Key State to Deactivated or Compromised if you only intend a temporary block.

---

Permanently Deactivating a Key

To permanently block a key from use, change its Key State to either:

• Deactivated, or
• Compromised

Note:
The key will not be deleted from the HSM — but once set to Deactivated or Compromised, it cannot be reactivated.

warning

This operation is permanent and cannot be undone.
Any DKE-encrypted documents relying on this key may become permanently inaccessible!

---

Deleting a Key

To delete a key, click Actions next to the key you want to delete, then select Delete.

This will permanently remove the key from the HSM.

Important:
Only keys in the Active or Pre-Active state can be deleted.

Key Storage and Key Attestation

Securosys CloudHSM provides the capability to cryptographically verify the origin of cryptographic keys, ensuring they were generated and securely stored within a Securosys HSM.

By default, the CloudHSM cluster used in Securosys365 is ECO-CH (located in Switzerland).
If a different cluster is required to meet geographic or jurisdictional requirements, please contact Securosys Support.

Within the Securosys365 Cockpit, under "Key" → "Get Attestation Files" and "Attestation Key", a key attestation can be generated and downloaded. The downloaded attestation files can be used to cryptographically proof key generation and critical key attributes, including:

• Key generated inside the HSM
• Key attributes marked as non-exportable

The attestation can be reviewed and validated by the customer or an independent auditor to confirm compliance with security and operational policies.