Creating and managing cryptographic keys

  • Updated on Nov 28, 2025
  • Published on Jul 7, 2025
  • 2 minute(s) read
Prev Next

Cryptographic keys can be managed with the Administration Web Interface via SERVERS > Key Management.

If you have a large number of keys, you can use the FILTER button to filter the list by key ID, key usage, or both. To return to the full list of keys, click CLEAR FILTER.

Click on any key to view its details.

To activate a key, click ACTIVATE. This initiates the Rotate Key wizard that allows you to run or schedule a key rotation.

Creating cryptographic keys

You can use the SERVERS > Create New Key page of the Administration Web Interface to create new cryptographic keys.

To create a new cryptographic key

  1. Sign in to the Administration Web Interface.

  2. Select SERVERS > Add New Key.

  3. Type a unique key ID.

  4. Select the usage purpose from the Usage list, either Storage Data or Sensitive Data.

  5. Do one of the following:

    • If you have NOT set up an HSM, enter the key value.

      If you type the key value directly, you need to type a hexadecimal string depending on the key usage. Storage data keys can be up to 64 characters (for a 256-bit key), sensitive data keys can be up to 32 characters (for a 128-bit key).

      Alternatively, click GENERATE KEY to create a random key value.

      Recommended key length

      We strongly recommend to always use the maximum key length (256 bit for storage data, 128 bit for sensitive data) if you do not use an HSM.

    • If you have set up an HSM, enter the following details:

      • The key label

      • The key check value (KCV)

      • The slot ID of the HSM

  6. For private keys, type the token label and the token PIN.

  7. (OPTIONAL) Type a brief description of the new key.

  8. Click SUBMIT.

    The new key is now visible in the list of available keys.

Rotating cryptographic keys

You can use the SERVERS > Rotate Key page of the Administration Web Interface to rotate your cryptographic keys. You can rotate keys individually or as a bulk operation.

To configure key rotation

  1. Sign in to the Administration Web Interface.

  2. To initiate key rotation for a single key:

    1. Select SERVERS > Key Management.

    2. Click on the key that you want to rotate.

    3. Click ACTIVATE.

    To initiate a bulk key rotation:

    1. Select SERVERS > Rotate Key.

    2. Select the key rotation type (either Storage key rotation or Sensitive data key rotation).

    3. Select the new key to use from the Key to rotate to list and click NEXT.

  3. On the Schedule Task page, you can schedule when and how you want to do the key rotation:

    • Run immediately. The key rotation is done immediately in the foreground. You will be unable to use the Administration Web Interface until the rotation has been completed.

    • Run in background. The key rotation is done in the background. You can continue to use the Administration Web Interface. Optionally, you can specify a time and date to schedule the operation. When selecting this option, you can also choose to be notified on completion.

    Click NEXT to continue.

  4. Click Finish.

The rotation from a software security module (SSM) to an hardware security module (HSM) key, e.g., for HSM migration during an upgrade of OneSpan Authentication Server, is not revertible! You cannot rotate back to an SSM key.