Encryption Key Error Messages

Introduction

These are a list of error messages that may occur during dual party customer managed encryption key (CMEK) processes.

Errors can be data entry related issues. Those occur during the entering of the information, or confirming the information. For example, a duplicate key name or an invalid URL format was found when entering the information. Other errors can be configuration or setting related. As examples, the customer revoked one or both of the key stores, or the Key identifier was mistyped.

The following error messages are available:

iManage Control Center

If the Encryption Key menu item does not appear in the Settings panel of the navigation pane, check that the user is assigned to a global role that has the Key Management privilege enabled.

To add or to check the role setting of Key Management, sign in as an NRTADMIN who is assigned to a role that has Role Management enabled in iManage Control Center:

  1. Select Access > Roles.

  2. Select Global Management from the Roles list.

  3. Select an existing role, or create a new role.

  4. In the Details tab, select Edit for Privileges.

  5. Select to enable Key Management.

  6. Select Save.

  7. In the Users tab, select Assign to Users, selecting the required users.

  8. Select Save.

The user will have this privilege the next time upon sign in.

Add key dialog box

These error messages apply to the Add Encryption Key dialog box.

images/download/attachments/78842578/image2020-4-22_13-36-58.png

Required fields are missing

Required fields (identified with an asterisk), must have a value entered. This message identifies the field requiring the correction.

Key name exceeds the length limit

The specified key name entered is too long. Correct the name to be less than or equal to the maximum.

The Key name is the descriptive name for the key. This name appears in the list of keys.

Minimum length: 1

Maximum length: 255

Spaces allowed: Yes

Unicode allowed: Yes

Special characters allowed: Yes

Key identifier URL format is invalid

The Key identifier is a URL for the Azure key vault.

The value entered is not a valid URL format. Check the URL and enter it again. Make sure the URL includes forward slashes (/) only, no relative URLs, must contain "https://", a domain name, and no spaces.

The URL is provided by Azure at the time the value is created and should be copied or written down to insure accuracy.

An example format is: https://ajubalaw.vault.azure.net/keys/ajubalaw-1/da93550d9b344d04a212dd06b7e7f4dc

Duplicate key holder information

Some of the key holder's information is duplicated with the other key holder. Make sure each of the Client secret, Application (client) ID, and Key identifier value is different than the other key holder's values.

Key identifiers are the same. Keys must be stored in separate Azure key vaults. Make sure each of the key identifier value is different than the other key holder's value.

App (client) IDs are the same. Keys must be stored in separate Azure key vaults. Make sure each of the application (client) ID value is different than the other key holder's value.

Key identifiers and App IDs are the same. Keys must be stored in separate Azure key vaults. Make sure each of the key identifier and application (client) ID are different than the other key holder's values.

Insufficient key vaults have been registered and enabled

There are not enough Azure key vaults registered for the iManage Work system to confirm the customer supplied encryption key.

Key vaults must be registered in pairs, and each of the pairs must contain a copy of the same customer supplied encryption key. More than one pair of key vaults may be registered. Registration permits the iManage Work system to safely access the stores.

There are several cases that cause this error. Check the condition and the suggestion to correct it.

  1. No key vaults have been added. No key vaults have been registered yet. Contact iManage Support and provide the two Azure key vault URLs.

  2. Only one key vault has been added and enabled. One key vault has been added and enabled although two key vaults are required. Contact iManage Support and provide the additional Azure key vault URL that matches the existing Azure key vault.

  3. There are some key vaults added but all of them are disabled. Key vaults have been added but at least one, and possibly up to all of them, are disabled. Contact iManage Support and specify which Azure key vaults to enable.

Key vaults have not been registered

The specified Azure vault for the has not been registered and enabled.

Supply the specified Azure key vault DNS name to iManage support .

Keys referenced inside the vaults are not the same

The keys in Key vault 1 and key vault 2 do not match each other.

The keys in the two vaults do not match each. Check each of the key vaults and make sure they contain copies of the same customer supplied encryption key. There is no need to contact iManage Support.

Key has invalid master key address

The specified key holder's key identifier is invalid or cannot be accessed.

Check the key identifier and try again.

Failed to validate application client id or secret

The combination of the specified key holder's application (client) ID and the client secret is invalid.

Check both of those values and try again.

Duplicate key name

The key name entered is a duplicate of another Key name.

Make sure the key name entered is unique from among the other Key names.

Revoked key

The specified key is revoked.

If this is not intended, check the cause of the revocation. One revoked key still allows encryption and decryption to occur normally. However, to minimize risk, both keys need to be healthy. If both keys are revoked or unavailable, encryption and decryption will not occur.

Unexpected error

An unspecified error has occurred.

This error can be caused by an incorrect configuration in an Azure vault such as invalid key vault permissions, a disabled key, or an expired key. Check those values and try again.

Edit Key Dialog

The Key name is missing

The Key name was not included.

Enter a Key name.

Key name exceeds the length limit

The key name entered is too long.

Correct the name to less than or equal to the maximum.

The Key name is the descriptive name for the key. This name appears in the list of keys.

Minimum length: 1

Maximum length: 255

Spaces allowed: Yes

Unicode allowed: Yes

Special characters allowed: Yes

Duplicate key name

The key name entered is a duplicate of another Key name.

Make sure the key name entered is unique from among the other Key names.

Unexpected error

An unspecified error has occurred.

This error can be caused by an incorrect configuration in an Azure vault such as invalid key vault permissions, a disabled key, or an expired key. Check those values and try again.

Activate Key Dialog

Required selection

No libraries were selected when attempting to activate this key.

Select at least one library. Some libraries may already be selected because the same active key had been previously applied to them. Multiple libraries can use the same key.

The Key is activated for all available libraries

The specified key has already been activated for all available libraries.

The condition occurs:

When attempting to activate a key that has already been activated on all available libraries. If this is not intended, use another key and try again.

When two iManage Work system administrators were attempting to activate the same key at the same time. Refresh the iManage Control Center page, check the key status, and try again.

Unhealthy key

The specified key is unable to be activated.

A key with a unhealthy status is attempted to be activated. A key cannot be activated if the key's health changes unexpectedly, or the key has been revoked after the activation attempt started.

Activating an already active key

The specified key has already been activated for all available libraries.

The condition occurs:

When attempting to activate a key that has already been activated on the selected libraries. If this is not intended, use another key and try again.

When two iManage Work system administrators were attempting to activate the same key at the same time. Refresh the iManage Control Center page, check the key status, and try again.

Key is unavailable

The specified key is unavailable.

An unspecified error has occurred. This may be caused by:

The Azure key vault is unavailable. Check that the Azure vault is working properly and that it is configured correctly.

The Key identifier is invalid. Check the Key identifier in the Azure vault and try again.

Incorrect permissions in the Azure vault. Check the permissions in the Azure vault and try again.

Unhealthy source master key

The specified source master key has recently changed to a revoked, unavailable, or mismatched state.

The existing source keysource cannot be replaced. The key either:

  • Has both key stores revoked and/or are currently unavailable, or

  • The two source key stores contain keys that do not match each other (also called a mismatched state).

Check the source key status, and try again. To complete the replacement, the source key cannot be in a mismatched state, and at least one of the key stores must be healthy.

A revoked key is one that the key store owner has explicitly changed the key store's status to prevent it from being read.

An unavailable key is a key store that cannot be read. This may be caused by a lack of network access, or the key store configuration.

Mismatched keys are when the keys in the two key stores do not match.

Unhealthy destination master key

The specified destination master key has recently changed to a revoked, unavailable, or mismatched state.

The existing destination key cannot be used to replace an active key. The destination key either:

  • Has at least one key store revoked or are currently unavailable, or

  • The two destination key stores contain keys that do not match each other (also called mismatched keys).

Check the destination key status, and try again. To complete the replacement, the destination key cannot be in a mismatched state, and both key stores must be healthy.

A revoked key is one that the key store owner has explicitly changed the key store's status to prevent it from being read.

An unavailable key is a key store that cannot be read. This may be caused by a lack of network access, or the key store configuration.

Mismatched keys are when the keys in the two key stores do not match.

Unexpected Error

An unspecified error has occurred.

Try the last operation again. If that does not correct the issue, contact your iManage Work system administrator.

Key Details page

The key is unavailable

The specified key is unavailable.

This error may be caused by a network issue, such as not being able to contact the Azure key vault, or is a configuration issue with the Azure key vault. Check that the Azure vault is working properly and that it is configured correctly.

The key is revoked

The specified key is revoked.

The specified key has been revoked by the customer. If this is not intended, check the cause of the revocation.

If one key is revoked, encryption and decryption still occurs. However, to minimize risk, both keys need to be healthy. If both keys are revoked or unavailable, encryption and decryption will not occur.

The key is mismatched

The keys in Key vault 1 and key vault 2 do not match each other.

The keys in the two vaults do not match each. Check each of the key vaults and make sure they contain copies of the same customer supplied encryption key. There is no need to contact iManage Support.

Master Encryption Keys page

Unhealthy key

One or more keys are invalid or have warnings.

This is a listing that some of the master encryption keys on this page have errors or warnings associated with them.

Review the list and address each issue before continuing. See the individual error messages on this page for more information.