Data encryption key life cycle management
Data encryption keys (DEKs) are generated by the encryption engine. Data is encrypted and
decrypted using the same DEK, so a DEK must be preserved at least long enough to decrypt the
ciphertext that it created. The length of time data is stored before it is retrieved can vary greatly,
and some data may be stored for years or decades before it is accessed. To be sure the data
remains accessible, DEKs may also need to be stored for years or decades. Key management
systems provide life-cycle management for all DEKs created by the encryption engine. Key
management systems are provided by third-party vendors.
Figure 4
nodes.
Regardless of the length of the life cycle, there are four stages in the life of a DEK, as shown in
Figure
is used to encrypt and decrypt data at least once, and possibly many times. A DEK may be
configured to expire in a certain time frame to avoid becoming compromised. Under those
conditions, it must be used one more time to decrypt the data, and the resulting cleartext is
encrypted with a new key (rekeyed).
Fabric OS Encryption Administrator's Guide (SKM/ESKM)
53-1002721-01
shows the relationship of the LAN connections to the key vault and between encryption
Key Management
System
Node 1
EE
FIGURE 4
LAN connections to the key vault, and between encryption nodes
5. A DEK is created by an encryption engine, distributed, then stored in a key vault. The key
Data encryption key life cycle management
LAN
Encryption Group
Node 2
Node 3
EE
Group Leader
IO Sync LAN
Node 4
EE
EE
1
9