Manage Quorum Control

  • Release version: Zurich
  • Updated July 31, 2025
  • 1 minute to read

    • After a withdrawal operation workflow is triggered, quorum actions can be managed from the Key Management Operations page. The key withdrawal operation is blocked until the quorum is met.

    Before you begin

    Role required: sn_kmf.admin or sn_kmf.cryptographic_manager

    When the quorum has been either approved or rejected, the requestor of the key withdrawal will receive an email notating if quorum was achieved or denied.

    Procedure

    1. Perform the steps to withdraw a customer managed key found in Key management operations.
    2. View the Quorum Control Requests and Quorum Control Approvers tabs that activated. Shows the quorum control tabs.
    3. Open the Quorum Control Requests tab to view the actual request that is created.
      • State:
        • Open: The key withdrawal action is pending the quorum being met.
        • Closed Complete: The quorum has been met and can be no further action on this particular quorum request.
      • Approval:
        • Requested: Approval emails have been sent and the workflow has been triggered to reach quorum.
        • Approved: The key will be withdrawn and the instance will be shut down.
        • Denied: The quorum request is canceled and no further action is taken with this request. A new withdrawal request will be required to withdraw the key.
    4. Open the Quorum Control Approvers tab to view the list of approvers and the state of the approval request.Displays entries for the quorum control approvers.

      State:

      • Requested: The approver has not yet taken action on the approval request.
      • Approved: The request has been approved either from the email or the approvals page.
    5. Select the Key Management Transactions tab to view the progress of the request step for the key withdrawal.
      • Step 0 - Quorum Request: The actual quorum request. The quorum request must be completed in order to trigger the key withdrawal steps.
      • Step 1 - Key Withdrawal: The key withdrawal step. This is composed of steps two through seven.
      • Step 2 - Request_preparation: Creates a request to trigger and the wrapping and rotation.
      • Step 3 - request_integrity_check: Validates that the request is legitimate and secure.
      • Step 4 - request_validation: Validates that there is a request in progress, only one rotate request can process at a time.
      • Step 5 - hsm_key_delete: Makes the call to KeySecure to delete the active key.
      • Step 6 - key_metadata_withdraw: Converts the active key metadata lifecycle state to "destroyed."
      • Step 7 - post_withdraw: Makes a call to shut down the instance.