Keys – HP Secure Key Manager User Manual

Page 109

background image

The Key and Policy Configuration page enables you to create, import, and manage keys. This page

contains the following sections:

Key Properties
Group Permissions
Custom Attributes
RSA Public Key
Create Keys
Import Keys


The SKM can create and store cryptographic keys (DES, AES, RSA, etc.). A key is composed of two main

parts: the key bytes and the key metadata. The key bytes are the bytes used by the cryptographic

algorithm (together with your data) to produce either plaintext or ciphertext. The key metadata contains

information about the key byte: key name, owner username, algorithm, key size, creation date, group

permissions, and any custom attributes that you create. The metadata also indicates if the key is a

versioned key, deletable, or exportable.
Cryptographic keys can be global or owned by a particular user. Global keys are keys that are available

to everyone, with no authentication required. Additionally, group permissions can be assigned to a key.

For example, you might give members of Group1 permission to export at any time and members of

Group2 permission to export only during a specific time period. Using authorization policies, you can

set usage limitations for keys.
As the administrator of the Secure Key Manager, you can define how your clients authenticate to the

server. A client might be an application or a database, for example. There are two kinds of client

sessions: authenticated and unauthenticated (global). When a client authenticates, it authenticates

either as a local user or as a user in the LDAP user directory that the server is configured to use. An

authenticated client has access to all global keys, all the keys owned by the user, and all keys accessible

to groups to which that user belongs. If a client does not authenticate to the server, then that client has

access only to global keys. On the SKM, keys can be:

Generated on the Management Console by an administrator.

Imported through the Management Console.

Marked as exportable, deletable, neither or both. An exportable key is a key that a client can

export from the server. Similarly, a deletable key is a key that the client can delete from the server.


Do not delete keys that might be needed to decrypt data at some point in the future. Once you delete

a key, there is no way to decrypt data that was encrypted with that key. As such, you should be

extremely cautious when making decisions about deleting keys.

The Keys section enables you to view all the keys on the server. You can click a field name (Key Name,

Owner) to sort the keys by that value; toggle to alternate between ascending and descending order. You

can use the Query field to select a query that will filter this page by the key metadata. Click Run Query to

actually run the query. The query you apply to this page determines which columns are shown. All keys

and columns are shown by default. (But they are not shown in this screenshot.)

Secure Key Manager