A first network device may install a receiving key for decrypting traffic on protocol hardware associated with a data plane of the first network device. The first network device may receive, from the data plane, a first notification indicating that the receiving key is installed on the protocol hardware and may provide, to a second network device, a first message identifying the receiving key. The first network device may receive, from the second network device, an acknowledgment message indicating that the receiving key is installed on the second network device and may install a transmission key for encrypting traffic on the protocol hardware. The first network device may receive, from the data plane, a second notification indicating that the transmission key is installed on the protocol hardware and may provide, to the second network device, a second message identifying the transmission key.