How Deactivated Keys Are Managed

The following points describe how deactivated keys are managed:

A CA Tape Encryption key name can refer to any number of deactivated keys.
After a key is deactivated, it is no longer used to encrypt tapes. However, the key is retained for decrypting tapes that have been encrypted with it.
Deactivated keys represent keys in the ICSF database or BES database that had been used to encrypt tapes under a specific CA Tape Encryption key name.
- When a currently active key is deactivated, it is replaced by a new currently active key, based on the settings for the Regenerate and NumberOfGenerations attributes.
- After you deactivate a key, you cannot reactivate it to use it for encryption purposes.
Whenever an application mounts and attempts to read an encrypted tape, CA Tape Encryption references the key that was used to encrypt the data.
If a tape is mounted that had been encrypted with a deactivated key, the deactivated key is used to decrypt the tape.
The tape management system tracks which specific key instances are being used. When the last tape using a given key instance is overwritten (reused), that key is eligible to be deleted. The tape management system informs CA Tape Encryption which keys to delete. By default, CA Tape Encryption retains the key for 90 days before it finally deletes it. This ensures that a key does not remain in the BES database and ICSF database beyond the life cycle of the tape.

Note: For more information about deactivated keys, see the chapter “Deactivating Keys.”