Rotate Secret Store encryption keys

The Venafi Configuration Console provides the ability to rotate the encryption keys used to secure the information stored in Venafi Trust Protection Platform.

When you rotate the encryption keys, the system searches for all assets that are encrypted with the old key, decrypts them, encrypts them with the new key, and stores the newly encrypted value back in the database.

Are you using the correct procedure? (Expand to learn more)

There are two procedures with similar names, and it's important to verify which procedure you want.

Rotate Secret Store keys
- Secret Store keys are used to encrypt data in Secret Store, and focus on securing specific policy folders.
- Different policy folders can be encrypted by different Secret Store keys.
- Rotating Secret Store keys should be done regularly to maintain updated security.
- During key rotation, the system searches for all assets that are encrypted with the old key, decrypts them, encrypts them with the new key, and stores the newly encrypted value back in the database.
- This rotation can be initiated from the Venafi Configuration Console, and does not require any down time.
- The procedure outlined below shows you how to rotate Secret Store keys.
Rotate System Protection key
- The System Protection key encrypts everything stored in the Secret Store that isn't otherwise encrypted by a specific Secret Store key.
- When you rotate the System Protection key, you create the new key, and then store it on the selected encryption connector.
- The new key is encrypted using the current key and can be accessed by other Venafi Platform servers.
- During the rotation process both the new and current keys remain active, allowing a seamless transition without downtime.
- Once all objects have been re-encrypted with the new key, the current key is deleted from each Venafi Platform server.
- The procedure below does NOT show you how to rotate the System Protection key. For information on rotating the System Protection key, see Rotate the System Protection Key.

Before you begin

Make sure that all services will remain running until the task is completed. VPlatform needs to be running to perform the rotation. The encryption subsystem will dynamically reload when there is a change.
This change is replicated across all Venafi Platform servers. When a server can be reached via Message Bus, the change is done in near-real time. If a server can't be reached via Message Bus, a ToDo will be created and all servers will be updated within about five minutes.
You can see the status of the key rotation task by using the Rotation Widget in the System Dashboard on the web console.

To rotate encryption keys

From the Venafi Trust Protection Platform server, open Venafi Configuration Console.
In the left panel, click Connectors.
In the center panel, click the key that you want to rotate.
In the Actions panel on the right, click Rotate Keys...
(Conditional) If requested, enter the Venafi Platform administrator user name and password.
Select the old key from the list.
Select the new key from the list.
Click Rotate.

Depending on how many objects were encrypted with the old key, this process may take some time, however you can exit the Venafi Configuration Console as this task continues in the background.