Skip to content

🔑 Cryptographic Lifecycle

Overview

The cryptographic lifecycle defines the different states a cryptographic key can go through during its existence. Managing key lifecycles ensures security, compliance, and operational integrity in cryptographic systems.

AnkaSecure follows a structured key lifecycle model, allowing secure key management with well-defined states.

🔄 Key Lifecycle States

A cryptographic key can exist in one of the following lifecycle states:

Status Description
ACTIVE The key is currently in use and available for encryption, decryption, and signing operations.
ROTATED The key has been replaced by a newer version but may still be valid for decryption or verification.
EXPIRED The key has reached its expiration date or exceeded its usage limits.
REVOKED The key has been explicitly revoked and should no longer be used for cryptographic operations.

🔄 Lifecycle Transitions

Keys transition through different states during their lifecycle. The following diagram illustrates valid transitions:

graph TD;
    ACTIVE -->|Key Rotation| ROTATED;
    ACTIVE -->|Expiration Date Reached| EXPIRED;
    ACTIVE -->|Explicit Revocation| REVOKED;
    ROTATED -->|Expiration Date Reached| EXPIRED;
    ROTATED -->|Explicit Revocation| REVOKED;
    EXPIRED -->|Cannot be reactivated| REVOKED;
💡 Notes:ACTIVE keys can be rotated, expired, or revoked.

ROTATED keys may still be used for decryption but will not be used for new encryption.

EXPIRED keys cannot be used for any cryptographic operations.

REVOKED keys are explicitly marked as unusable and cannot be recovered.

🔑 Key Status API

1️⃣ Checking a Key's Status

To retrieve the status of a key, use:

Example Request (cURL)

curl -X GET "https://demo.ankatech.co/api/key-management/keys/{kid}"\
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"\
  -H "accept: application/json"

Example Response

{
  "kid": "my-key-123",
  "kty": "ML-KEM",
  "alg": "ML-KEM-512",
  "status": "ACTIVE"
}

2️⃣ Rotating a Key

Key rotation replaces an existing key with a new version, maintaining security while ensuring continuity in cryptographic operations.

Example Request

curl -X POST "https://demo.ankatech.co/api/key-management/keys/{kid}/rotate"\
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"\
  -H "accept: application/json"`

Example Response

{
  "kid": "my-key-123",
  "status": "ROTATED",
  "newKid": "my-key-456"
}

3️⃣ Revoking a Key

Keys can be explicitly revoked when they are no longer trusted.

Example Request

curl -X POST "https://demo.ankatech.co/api/key-management/keys/{kid}/revoke"\
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"\
  -H "accept: application/json"

Example Response

{
  "kid": "my-key-123",
  "status": "REVOKED"
}

🛡️ Best Practices for Key Lifecycle Management

🔹 Use key rotation regularly to minimize exposure risks.

🔹 Monitor key expiration dates and update them as necessary.

🔹 Revoke compromised keys immediately to prevent misuse.

🔹 Ensure compliance with security policies for cryptographic key management.

For more details, refer to:

  • Key Management Overview

  • Key Rotation & Re-Encryption

  • API Reference - Key Management