Monitoring the lifecycle of encryption keys - Standard Plan
IBM Cloud® Hyper Protect Crypto Services follows the security guidelines by NIST SP 800-57 for key states.
Key states and transitions
Cryptographic keys, in their lifetime, transition through several states that are a function of how long the keys are in existence and whether data is protected.
Hyper Protect Crypto Services provides a graphical user interface and a REST API for tracking keys as they move through several states in their lifecycle. The following diagram shows how a key passes through states between the generation and the destruction.
| State | Integer Mapping | Description |
|---|---|---|
| Pre-active | 0 | Keys are initially created in the Pre-active state. A pre-active key cannot be used to cryptographically protect data. |
| Active | 1 | Keys move immediately into the Active state on the activation date. This transition marks the beginning of a key's cryptoperiod. Keys with no activation date become active immediately and remain active until they expire or are destroyed. |
| Suspended | 2 | A key moves into the Suspended state when it is disabled for encrypt and decrypt operations. In this state, the key is unable to cryptographically protect data and can be moved only to the Active or Destroyed states. |
| Deactivated | 3 | A key moves into the Deactivated state on the expiration date, if one is assigned. In this state, the key is unable to cryptographically protect data and can be moved only to the Destroyed state. |
| Destroyed | 5 | Deleted keys are in the Destroyed state. Keys in this state are not recoverable. Metadata that is associated with a key, such as the key's transition history and name, is kept in the Hyper Protect Crypto Services database. |
Key states and service actions
Key states affect whether an action that is performed on a key succeeds or fails. For example, if a key is in the Active state, you can't restore the key because the key wasn't previously deleted.
The following table shows how Hyper Protect Crypto Services handles service actions based on the state of a key. The column headers represent the key states, and the row headers represent the actions that you can perform on a key. The Checkmark icon 
indicates that the action on a key is expected to succeed based on the key state.
| Action | Pre-active | Active | Suspended | Deactivated | Destroyed |
|---|---|---|---|---|---|
| Get key. | |
|
|
|
|
| List keys. | |
|
|
|
|
| Rotate key. | |
||||
| Wrap key. | |
||||
| Unwrap key. | |
|
|||
| Rewrap key. | |
|
|||
| Disable key. | |
||||
| Enable key. | |
||||
| Delete key. | |
|
|
||
| Restore key. | |
Monitoring for lifecycle changes
After you add a root key to the service, use the UI or the Hyper Protect Crypto Services key management REST API to view your key's transition history and configuration.
For audit purposes, you can also monitor the activity trail for a root key by integrating Hyper Protect Crypto Services with the IBM Cloud Activity Tracker. After both services are provisioned and running, activity events are generated and automatically collected in an IBM Cloud Activity Tracker log when you perform actions on keys in Hyper Protect Crypto Services.