When a rule requires a key, a key policy is used to determine which key instance to use for a network packet.

Keys are cryptographic tokens used by DNE for encryption and integrity checks. DNE supports AES-GCM at 128-bit strength.

There are two system default key policies:

  • System_Encryption_and_Integrity encrypts and checks integrity.

  • System_Integrity_Only checks integrity only.

If you navigate to the Encryption > Keys tab, you can see the properties of the key policies.

Table 1. Columns on the Keys Tab

Column Name



Name of the key policy.


Unique system-generated ID for each key policy. Read only. Referenced in encryption rules and encryption rule sections.


The purpose of the key policy. Possible values:

  • Encrypt and Check Integrity

  • Check Integrity Only


Encryption algorithm. Only AES GCM is supported.

MAC Algorithm

MAC algorithm. Only AES GCM is supported.

Key Length

Only 128-bit is supported.


Indicates whether the policy is a system default.

Rotate Frequency

Rotate frequency in days. The minimum is 1.


Notes about this key.

Creation Time

Date and time when this policy was created.

Last Modified Time

Date and time when this policy was last modified.


Run-time processing statistics (such as packets in/out, bytes in/out) as well as a timestamp for when the statistics were last updated. These values represent aggregated statistics across all hosts. Statistics are accumulated starting from when the encryption rule was created and are tabulated in five-minute intervals (by default), although you must manually refresh the display.

Next Rotation Time

Date and time when the keys will be rotated next.

Not all the columns are displayed by default. You can click Columns in the lower left corner to choose which columns to display.