One of the core features of KMF is to provide the capability  to manage  keys, such as revoking or rotating keys.  KMF properly secures sensitive data with the most up-to-date encryption materials and life cycle operations.

The following table provides a summary of the key life cycle operations and management actions. The cryptographic module purpose is applied to the data with the cryptographic module configuration and has no impact on data.

Key management action	Description
Generate key	Generates  a  new key for the given  cryptographic module. A first generated key is set to active.
Rotate key	Deactivates  the current  key and  generates a new  one. The  new  module key is set to current  (active).
Revoke key	Marks  the current key  and life cycle state as revoked. The cryptographic module auto-generates a new key on new data and sets the key status to active. Revoked means that the key is no longer used for encryption. However, it can still be used for decryption. You can’t destroy a key.
Suspend key	Marks  the current key as suspended.  Manually  resume the suspended  key or revoke  the suspended key to generate  a new module key before using the cryptographic module again.
Resume key	Marks a suspended key as the active key.
Renew key	Extends the life of the current key. The Renew button becomes available under the following circumstances: You’re assigned the cryptographic manager role. The life-cycle state is marked to either Active or Renewed. An expiration date is set in the module life cycle definition.