About moving SSH keys to a different folder

A keyset's folder location in Trust Protection Platform determines what policy settings apply to the keyset. Folders can be used to organize objects, as well as to apply policy settings to the items in the folders. If you decide you want to move one or more keysets to a new folder, you can use one of the following procedures.

For example, if you want a limited-rights user to be able to rotate a keyset, but you don't want them to have other permissions on other keysets, you can move the keysets into a folder in the Policy tree. Once the keysets are in the Policy tree, you can use the policy-based permissions, or you can even apply specific permissions to a keyset.

How policy settings are applied

Only certain SSH policy settings are applied to keysets when they are moved into a folder. This is because some of the settings need to come from the device on which the keysets are installed. The keyset folder policy settings that override device settings are:

  • Contacts
  • Algorithm
  • Key Size
  • Key Format
  • Source Restrictions
  • Options

You might move a keyset into a folder that has policy settings that are different than the key settings. For example, if folder A requires a key size of 4096, but the key you move into folder A is only 2048, the key will move into the folder, but a new risk will appear for the keyset telling you that the key size is smaller than required. Rotate the key to have the new policy settings applied to the keyset.

When an SSH keyset is placed in a policy folder, the security level is taken from the keyset policy. Some keyset folder policy settings, such as Contacts, Algorithm, Key Size, and Key Format, override device settings and are applied to the keysets. These policy settings ensure that the security measures specified in the policy are enforced for the SSH keyset.

Permissions required to move and rotate keysets

To move a keyset into a policy folder, you need to have Create and Manage Policy permissions in the target folder.

To move a keyset from one folder to another, you need to have Create and Manage Policy permissions in the target folder, and Delete permissions in the source folder.

To remove a keyset from all folders (reverting back to device-based permissions), you need to have Delete permissions in the folder that contains the keyset.

To rotate a keyset, you need to have View, Read, and Write permissions on the keyset.

For more information on permissions, see About permissions.