Access Control for Keys
In CipherTrust Manager, keys can be created through two distinct workflows. Although both workflows generate functionally identical keys, they differ in the way access permissions are assigned. This distinction is crucial for ensuring that keys remain accessible only to the intended applications and associated clients.
Workflow 1: Key creation from keys menu
When a key is created directly from Keys menu (Keys → Add Key), access is initially granted only to the admin group. If controlled access is needed, administrators must explicitly assign key permissions to a specific custom group. This group also needs to be linked to the application.
Use this option when:
-
Keys need to be restricted to a specific application.
-
Access policies require tight control and should not be automatically inherited by all Application Data Protection clients.
Workflow 2: Key creation through Application Data Protection Tile
When a key is created as part of configuring a Protection Policy, CipherTrust Manager automatically grants access to the Application Data Protection Clients group. Every client registered to any Application Data Protection application becomes a member of this default group. As a result, all such clients are permitted to use the key.
Use this option when:
-
The same key needs to be shared across multiple applications.
-
No per-application restriction or access segmentation is needed.
