VAST Cluster encryption keys are initially created without expiration dates.
Encryption keys expire:
When keys are revoked through VMS, their expiration date is set to the present date, causing the keys to expire.
When expired on the EKM server. When this occurs, the keys are revoked on the cluster and their state cannot be changed.
VAST Cluster monitors encryption key expiration and issues a critical alarm one week, two days and one day before an encryption key expires on your EKM.
Manual configuration of expiration dates on encryption keys is supported by some EKMs, including the Thales Group CipherTrust Data Security Platform. It is advisable to avoid setting key expiration dates on EKMs due to the following:
No VMS operation sets or changes the expiration date of encryption keys except deactivation, which sets the expiration date to the current date.
Rotating keys does not change the expiration dates.
Therefore, in the event that key expiration is anticipated, the only way to preserve data is to replicate the data to another location before the keys expire.