Contribute in GitHub:
Open doc issue|Edit online
Contribute in GitHub:
Open doc issue|Edit online
Keys in EKMF Web follow the lifecycle that is recommended by NIST.
| State | Description | Can be destroyed? |
|---|---|---|
| pre-activation | First state for all keys that EKMF Web creates. In this state, the key is stored in the central key repository, but no instances of the key have been distributed to keystores. | Yes. You can destroy a pre-activation key that was created by mistake. See destroyed state in this table. |
| active | State that follows activation of the key. Activation causes the distribution of key instances to the systems defined in the associated key template. | No. See deactivated state in this table. |
| deactivated | State for a key that is no longer needed. Deactivation removes the key from the keystores it was previously distributed to. It is possible to reactivate a key. This changes the state to active and redistributes the key to the keystores it was previously removed from. | Yes. You can destroy a deactivated key. See the description of the destroyed state in this table. |
| destroyed | A state in which some key material is removed from the key repository, although other key information is retained. | Not applicable. You can mark a destroyed key as also compromised. See destroyed compromised state in this table. |
| compromised | A state that falls short of the destroyed state. The key is marked compromised, with no further changes. And this key remains in the keystores. | Yes. You can mark a compromised key as also destroyed. See destroyed compromised state in this table. |
| destroyed compromised | A state where your key is marked compromised and is also marked destroyed. | Not applicable. |
EKMF Web allows a deactivated or compromised key to be reinstalled; this operation redistributes key instances to the systems that are defined in the associated key template.