Retired Keys

A retired key is an instance of a key that in the normal course of its use is no longer needed for reading encrypted tapes and can be destroyed. The following points outline the process of deactivating keys:

The currently active symmetric key instance for each key name defined in parmlib is automatically deactivated and a new active key instance takes its place, based on the time interval specified for the Regenerate attribute in parmlib.
When a key instance is deactivated, it is kept in the key repository until the tape management system indicates that it is no longer needed to decrypt any encrypted tape file. At that point the key is considered to be retired.
When your site is configured for the automatic removal of the keys, the retired keys are not removed from the key repository immediately.
- After keys are identified by the TBEKMUTL utility as retired, they are retained for a grace period of 90 days. If a request to use the key occurs during that time, the key is promoted back to deactivated status and it is removed from the queue of keys to be deleted.
- After the grace period of 90 days, the retired key instance is destroyed.
To configure your site for the automatic removal of keys, specify the following attribute in parmlib:
```
AutomaticallyRemoveKeys=Y
```
Note: The default is not to delete keys automatically.
Only the instance of the key is retired.
The key name is still specified in parmlib.
- New generations of the key are available.
- The currently active instance of the key is used to perform encryption.

Tell Technical Publications how we can improve this information