How to manage keys?
Security add-in for Microsoft 365
With Securosys365 - DKE, you can manage HSM-protected keys directly from the Securosys365 - Cockpit.
In this guide, we will show you how to modify existing keys and explain the Double Key Encryption key lifecycle mechanisms.
Log in to the Securosys365 - DKE
- Log in to Securosys365 - DKE Cockpit
- Key Management: Open the Keys tab in Securosys365 - Key Management
Vaults
A Vault is a logical connection to a Securosys CloudHSM KeyStore (Partition).
It provides a dedicated keystore space that only you can access — ensuring isolation, security, and full control over your cryptographic keys.
Learn more:
Key States
The DKE-Key states follow the NIST SP 800-57 - Recommendation for Key Management, specifically Chapter 7: Key States and Transitions.
For detailed definitions, refer to Definitions - Key States.
Please carefully review the following diagram.
Important: Certain operations may permanently render the DKE-Key and any associated encrypted content inaccessible!
Creating a Key
To create a key, please follow the instructions under 1. Create Key and DKE Web Service.
Important Guidelines:
- Only generate
RSA 2048keys.- Set the initial key state to either
Pre-ActiveorActiveif the key will be used for Double Key Encryption.- Ensure the following key attributes:
- Usage:
Decrypt- Enabled:
TrueFailure to configure these attributes correctly will prevent the key from being usable for decryption operations.
Blocking a Key (Usage)
To block a key, click Actions next to the key you wish to block, then select Edit.
You have two options — choose carefully:
- Temporarily block the key (the key can be unblocked later)
- Permanently deactivate or compromise the key (the key cannot be unblocked later)
Temporarily Blocking a Key
To temporarily prevent a key from being used for decryption operations, toggle the Enabled switch off.
Important:
Do not change the Key State toDeactivatedorCompromisedif you only intend a temporary block.
Permanently Deactivating a Key
To permanently block a key from use, change its Key State to either:
Deactivated, orCompromised
Note:
The key will not be deleted from the HSM — but once set toDeactivatedorCompromised, it cannot be reactivated.
This operation is permanent and cannot be undone.
Any DKE-encrypted documents relying on this key may become permanently inaccessible!
Deleting a Key
To delete a key, click Actions next to the key you want to delete, then select Delete.
This will permanently remove the key from the HSM.
Important:
Only keys in theActiveorPre-Activestate can be deleted.
Key Storage and Key Attestation
Securosys CloudHSM provides the capability to cryptographically verify the origin of cryptographic keys, ensuring they were generated and securely stored within a Securosys HSM.
By default, the CloudHSM cluster used in Securosys365 is ECO-CH (located in Switzerland).
If a different cluster is required to meet geographic or jurisdictional requirements, please contact Securosys Support.
Within the Securosys365 Cockpit, under "Key" → "Get Attestation Files" and "Attestation Key", a key attestation can be generated and downloaded. The downloaded attestation files can be used to cryptographically prove key generation and critical key attributes, including:
- Key generated inside the HSM
- Key attributes marked as non-exportable
The attestation can be reviewed and validated by the customer or an independent auditor to confirm compliance with security and operational policies.
- Contact the support team
- Book a 30-minute demo