A cryptographic module policy is an instance-level policy that places limits on cryptographic modules, such as how long the key is good for. Create policies to safeguard cryptographic modules by limiting their exposure.

About this task

The more exposure a cryptographic key has, the more likely it can be compromised. Safeguard keys by limiting how long the keys can be used and who can use them.

The following features govern cryptographic modules:

• Instance policies set boundaries for the instance. For example, if you specify in the instance policies that the expiration date should never be more than two years after the activation date, you cannot use the lifecycle rules to set an expiration date five years after the activation date.

• Instance lifecycle templates allow you to set different policies for different keys. Templates offer default lifecycle rules for cryptographic modules so that they don't have to be re-created for every module. For example, you can set different expiration dates for symmetric data encryption keys than for public key wrapping keys.

• Lifecycle rules affect the keys directly. For example, if you specify in the lifecycle rules that the expiration date should be two years after the activation date, keys will expire two years after the activation d

1. Navigate to Key Management > Lifecycle Policies > Instance Policies.
2. Click New.
3. Complete the form.
   Cryptographic Lifecycle Policies fields

   Field	Description
   Applies to	Read only. The key the lifecycle applies to.
   Active	Select to activate the policy.
   Policy condition	Conditional statements that specify when to activate, renew, deactivate, and destroy the cryptographic module.
   Result	Reject to revoke access to the cryptographic module, or Track to permit access and monitor use of the cryptographic module.

What to do next

If you want to add exceptions to this lifecycle policy at the module level, see Create module policy exceptions.