Rotate the System Protection Key
Rotating the System Protection Key will generate a new encryption key and re-encrypt all objects in the Trust Protection Platform database that are currently encrypted with the System Protection Key. When you rotate encryption keys, the system searches for all assets that are encrypted with the old key, decrypts them, encrypts them with the new key, and stores the newly encrypted value back in the database.
NOTE To learn more about how Trust Protection Platform uses the system protection key to protect assets, see Managing system encryption keys
There are two procedures with similar names, and it's important to verify which procedure you want.
-
Rotate Secret Store keys
-
Secret Store keys are used to encrypt data in Secret Store, and focus on securing specific policy folders.
-
Different policy folders can be encrypted by different Secret Store keys.
-
Rotating Secret Store keys should be done regularly to maintain updated security.
-
During key rotation, the system searches for all assets that are encrypted with the old key, decrypts them, encrypts them with the new key, and stores the newly encrypted value back in the database.
-
This rotation can be initiated from the Venafi Configuration Console, and does not require any down time.
-
The procedure outlined below is NOT for rotating Secret Store keys. To rotate Secret Store keys, see Rotate Secret Store encryption keys
-
-
Rotate System Protection key
-
The System Protection key encrypts everything stored in the Secret Store that isn't otherwise encrypted by a specific Secret Store key.
-
When you rotate the System Protection key, you create the new key, and then store it on the selected encryption connector.
-
The new key is encrypted using the current key and can be accessed by other Venafi Platform servers.
-
During the rotation process both the new and current keys remain active, allowing a seamless transition without downtime.
-
Once all objects have been re-encrypted with the new key, the current key is deleted from each Venafi Platform server.
-
The procedure below shows you how to rotate the System Protection key.
-
-
When System Protection Key rotation is initiated, Trust Protection Platform directs the creation of a new encryption key and stores that key on the encryption connector that you select.
-
Trust Protection Platform encrypts the new key using the current key and stores it. The other Trust Protection Platform servers can then access the new key.
-
Once it's confirmed that every server in the cluster has the new key, the key rotation begins. Objects encrypted with the current key will be re-encrypted with the new key.
-
During key rotation, both the new key and the current key remain active on the Trust Protection Platform servers. This allows key rotation to happen in the background with no downtime.
-
Once all objects have been re-encrypted with the new key, the current key is deleted from each Trust Protection Platform server.
Before you begin
-
Make sure that you have a working HSM client on each server, and make sure that the HSM DLL file is in the same location on each server. To add a new HSM connector, see Creating a HSM connector.
-
Make sure that you have a backup of your current key. If you're using a software key, follow the steps in Backing up the software encryption key. For keys stored on an HSM, verify that your key has been backed up in a recent backup of your HSM.
-
The VPlatform service needs to be running to perform the rotation. There is no need to stop or restart services when performing a rotation. The encryption subsystem will dynamically reload when there is a change.
-
When the key has been rotated, the change is replicated on all Venafi servers in the cluster within 5 minutes. For servers that Message Bus can connect to, this change is done near real-time.
-
There is a rotation widget that appears in the System Dashboard in the web console when a rotation is in progress.
IMPORTANT After rotating your key, you will need to replace your existing answer file with a new answer file that contains your updated key. More information is provided after the steps in this procedure.
Steps for Key Rotation
-
From the Venafi Trust Protection Platform server, open Venafi Configuration Console.
-
In the left panel, click Connectors.
-
In the Actions panel on the right, click Rotate TPP System Protection Key.
-
In the New Key Name box, give this key a unique name.
-
From the Connector drop-down menu, select the location where you want the new System Protection Key to be stored.
NOTE If you select a connector other than your currently-used connector, the new key will be stored on the connector that you select.
You can see what connector you are currently using in the Encryption tree of Trust Protection Platform. Open the Trust Protection Platform web interface by going to
https://<tpp-server-url>/aperture
. From the Platform menu bar, click Policy Tree. Then, in the drop-down menu near the top left corner, select Encryption.The Default Key Generation box shows your currently-used encryption connector, and the Default Protection Key box shows the name of the currently-used key.
-
From the Rotate Keys On drop-down menu, make a selection according to the following guidelines:
-
Selecting Any available server allows the first available Trust Protection Platform server in the cluster to perform the rotation. All other factors being equal, this is the recommended selection.
-
If you have one Trust Protection Platform with notably less latency to the database and to the HSM, we recommend selecting that server specifically.
The keys will be rotated in the database by a single server, and all other servers will receive information about the new key.
-
-
If you are rotating your key from software to hardware, selecting Disable software encryption will ensure that the software key is no longer used.
-
Click Rotate.
Depending on how many items there are to re-encrypt, this process may take a while. You can close the Rotate System Protection Key window (you can even close Venafi Configuration Console), and the rotation will continue to run in the background. You can check the status of the rotation by going to
https://<tpp-server-url>/aperture/platform/dashboard/tpp-services
and opening the Platform menu.
IMPORTANT Make sure to back up your new encryption key. If you've rotated a software key back into software, follow the steps in Backing up the software encryption key. If you've rotated the key to hardware, make sure you have backup procedures in place for your HSM.
IMPORTANT If you are using answer files for Trust Protection Platform installations, you must create a new answer file that contains your update key. Follow the steps in Answer File wizard.
You can see the status of the key rotation task by using the Rotation Widget in the System Dashboard (Aperture).
Log events
You can view log events related to rotating the System Protection Key in the Venafi Event Viewer. The Venafi Event Viewer can be opened either from the Venafi Configuration Console on the Trust Protection Platform server or by using the MMC Snap-in collection.
In Venafi Event Viewer, you can set up a custom view to see log events related to System Protection Key rotation.
-
To set up a custom view, open the Venafi Event Viewer and follow the steps in Custom Views.
-
In the Event Sources section, expand the Venafi Secret Store grouping, then click the checkbox next to the following:
-
Secret Store - Key rotated. Log event that indicates the encryption key for a given object was rotated.
-
Secret Store - Keys rotated. Log event that indicates the key rotation is complete.
-
Secret Store - Server key rotation requested. Log event that indicates the initiation of the key rotation.
-