Documentation
Start typing to search…

Encryption Key Policies

Suggest Edit

Encryption Key Policies let you centrally control how encryption keys are created and used across your Akeyless account. With these policies, you can define guardrails, such as:

  • Which key types are allowed as protection keys (Classic Keys or DFC)
  • Which encryption algorithms may be used
  • The maximum supported rotation interval for symmetric keys so teams can move fast without drifting from your security standards.

Policies are applied at the folder level and can automatically inherit to all subfolders, giving you consistent enforcement at scale. This makes it easy to set strict rules for sensitive environments while allowing different folders (and teams) to operate with the right level of flexibility, all while keeping key usage aligned with your organization’s governance and compliance requirements.

Tip: This feature is Early Access and is available only when using a Gateway running version 4.46.0 or later.

Setting an Encryption Key Policy with the CLI

To set an encryption key policy using the CLI, run the following command:

akeyless policy create keys \
--path /my-key-policy \
--max-rotation-interval-days 15 \
--allowed-algorithms RSA2048 \
--allowed-key-types dfc \
--allowed-key-names my-dfc-key \
--object-types items

Where:

  • path: Mandatory, The path the policy refers to.

  • max-rotation-interval-days: The max value for rotation interval in the specified path.

  • allowed-algorithms: Allowed key algorithms (RSA2048,AES128GCM).

  • allowed-key-types: Allowed key protection types (dfc, classic-key).

  • allowed-key-names: Allowed protection key names.

  • object-types: The object types this policy will apply to [items, targets].

Setting an Encryption Key Policy with the Console

  1. Log in to the Akeyless Console, and go to Account Settings > Key Management.
  2. In the Key Management Policies section, press Add.
  3. Define the remaining parameters as follows:
    • Object Type: Choose either Item or Target.
    • Access Path: Choose a path where the policy will be applied (check Apply Recursively to set this policy for items in folders under the specified app).
    • Max Rotation Interval: The maximum allowed rotation interval for keys in the specified path.
    • Algorithm Key Types: The allowed algorithm key types in the specified path.
    • Protection Key Type: DFC, Classic, or both (if Exclusively use default key is checked, Classic is irrelevant and grayed out).
    • Protection Key Name: The allowed protection key in the specified path (if Exclusively use default key is checked, this option is irrelevant and grayed out).

Updated 10 days ago

Footer Section