Rotate the System Protection Key

Rotating the System Protection Key will generate a new encryption key and re-encrypt all objects in the Trust Protection Platform database that are currently encrypted with the System Protection Key. When you rotate encryption keys, the system searches for all assets that are encrypted with the old key, decrypts them, encrypts them with the new key, and stores the newly encrypted value back in the database.

NOTE  To learn more about how Trust Protection Platform uses the system protection key to protect assets, see Managing system encryption keys

Before you begin

  • Make sure that you have a working HSM client on each server, and make sure that the HSM DLL file is in the same location on each server. To add a new HSM connector, see Creating a HSM connector.

  • Make sure that you have a backup of your current key. If you're using a software key, follow the steps in Backing up the software encryption key. For keys stored on an HSM, verify that your key has been backed up in a recent backup of your HSM.

  • The VPlatform service needs to be running to perform the rotation. There is no need to stop or restart services when performing a rotation. The encryption subsystem will dynamically reload when there is a change.

  • When the key has been rotated, the change is replicated on all Venafi servers in the cluster within 5 minutes. For servers that Message Bus can connect to, this change is done near real-time.

  • There is a rotation widget that appears in the System Dashboard in the web console when a rotation is in progress.

IMPORTANT  After rotating your key, you will need to replace your existing answer file with a new answer file that contains your updated key. More information is provided after the steps in this procedure.

Steps for Key Rotation

  1. From the Venafi Trust Protection Platform server, open Venafi Configuration Console.

  2. In the left panel, click Connectors.

  3. In the Actions panel on the right, click Rotate TPP System Protection Key.

  4. In the New Key Name box, give this key a unique name.

  5. From the Connector drop-down menu, select the location where you want the new System Protection Key to be stored.

    NOTE  If you select a connector other than your currently-used connector, the new key will be stored on the connector that you select.

    You can see what connector you are currently using in the Encryption tree of Trust Protection Platform. Open the Trust Protection Platform web interface by going to https://<tpp-server-url>/aperture. From the Platform menu bar, click Policy Tree. Then, in the drop-down menu near the top left corner, select Encryption.

    The Default Key Generation box shows your currently-used encryption connector, and the Default Protection Key box shows the name of the currently-used key.

  6. From the Rotate Keys On drop-down menu, make a selection according to the following guidelines:

    • Selecting Any available server allows the first available Trust Protection Platform server in the cluster to perform the rotation. All other factors being equal, this is the recommended selection.

    • If you have one Trust Protection Platform with notably less latency to the database and to the HSM, we recommend selecting that server specifically.

    The keys will be rotated in the database by a single server, and all other servers will receive information about the new key.

  7. If you are rotating your key from software to hardware, selecting Disable software encryption will ensure that the software key is no longer used.

  8. Click Rotate.

    Depending on how many items there are to re-encrypt, this process may take a while. You can close the Rotate System Protection Key window (you can even close Venafi Configuration Console), and the rotation will continue to run in the background. You can check the status of the rotation by going to https://<tpp-server-url>/aperture/platform/dashboard/tpp-services and opening the Platform menu.

IMPORTANT  Make sure to back up your new encryption key. If you've rotated a software key back into software, follow the steps in Backing up the software encryption key. If you've rotated the key to hardware, make sure you have backup procedures in place for your HSM.

IMPORTANT  If you are using answer files for Trust Protection Platform installations, you must create a new answer file that contains your update key. Follow the steps in Answer File wizard.

You can see the status of the key rotation task by using the Rotation Widget in the System Dashboard (Aperture).

Log events

You can view log events related to rotating the System Protection Key in the Venafi Event Viewer. The Venafi Event Viewer can be opened either from the Venafi Configuration Console on the Trust Protection Platform server or by using the MMC Snap-in collection.

In Venafi Event Viewer, you can set up a custom view to see log events related to System Protection Key rotation.

  1. To set up a custom view, open the Venafi Event Viewer and follow the steps in Custom Views.

  2. In the Event Sources section, expand the Venafi Secret Store grouping, then click the checkbox next to the following:

    • Secret Store - Key rotated. Log event that indicates the encryption key for a given object was rotated.

    • Secret Store - Keys rotated. Log event that indicates the key rotation is complete.

    • Secret Store - Server key rotation requested. Log event that indicates the initiation of the key rotation.