Skip to main content

How to manage keys?

Security add-in for Microsoft 365

With Securosys365 - DKE, you can manage HSM-protected keys directly from the Securosys365 - Cockpit.

In this guide, we will show you how to modify existing keys and explain the Double Key Encryption key lifecycle mechanisms.

Log in to the Securosys365 - DKE

Securosys365 - DKE Key Management

Vaults

A Vault is a logical connection to a Securosys CloudHSM KeyStore (Partition).
It provides a dedicated keystore space that only you can access — ensuring isolation, security, and full control over your cryptographic keys.

Learn more:

Key States

The DKE-Key states follow the NIST SP 800-57 - Recommendation for Key Management, specifically Chapter 7: Key States and Transitions.

For detailed definitions, refer to Definitions - Key States.

Key States

Please carefully review the following diagram.
Important: Certain operations may permanently render the DKE-Key and any associated encrypted content inaccessible!

DKE Key States Diagram

Creating a Key

To create a key, please follow the instructions under 1. Create Key and DKE Web Service.

Important Guidelines:

  • Only generate RSA 2048 keys.
  • Set the initial key state to either Pre-Active or Active if the key will be used for Double Key Encryption.
  • Ensure the following key attributes:
    • Usage: Decrypt
    • Enabled: True

Failure to configure these attributes correctly will prevent the key from being usable for decryption operations.

Blocking a Key (Usage)

To block a key, click Actions next to the key you wish to block, then select Edit.

You have two options — choose carefully:

  • Temporarily block the key (the key can be unblocked later)
  • Permanently deactivate or compromise the key (the key cannot be unblocked later)

Temporarily Blocking a Key

To temporarily prevent a key from being used for decryption operations, toggle the Enabled switch off.

Important:
Do not change the Key State to Deactivated or Compromised if you only intend a temporary block.

Permanently Deactivating a Key

To permanently block a key from use, change its Key State to either:

  • Deactivated, or
  • Compromised

Note:
The key will not be deleted from the HSM — but once set to Deactivated or Compromised, it cannot be reactivated.

warning

This operation is permanent and cannot be undone.
Any DKE-encrypted documents relying on this key may become permanently inaccessible!

Deleting a Key

To delete a key, click Actions next to the key you want to delete, then select Delete.

This will permanently remove the key from the HSM.

Important:
Only keys in the Active or Pre-Active state can be deleted.

Key Storage and Key Attestation

Securosys CloudHSM provides the capability to cryptographically verify the origin of cryptographic keys, ensuring they were generated and securely stored within a Securosys HSM.

By default, the CloudHSM cluster used in Securosys365 is ECO-CH (located in Switzerland).
If a different cluster is required to meet geographic or jurisdictional requirements, please contact Securosys Support.

Within the Securosys365 Cockpit, under "Key" → "Get Attestation Files" and "Attestation Key", a key attestation can be generated and downloaded. The downloaded attestation files can be used to cryptographically prove key generation and critical key attributes, including:

  • Key generated inside the HSM
  • Key attributes marked as non-exportable

The attestation can be reviewed and validated by the customer or an independent auditor to confirm compliance with security and operational policies.

Need help?
Last updated on