Database Encryption

Venafi Platform uses encryption at rest to protect the information stored in your database. There are two options for database encryption: software encryption, and hardware encryption. You must use some combination of the two (hardware, or software, or both).

Understanding your encryption options is important so you know how Venafi Platform is protecting your data.

For more information on encryption drivers and how to configure them, see Overview of encryption drivers.

Software Encryption

If you select software encryption, your database assets will be encrypted using an AES-256 encryption key stored in the Windows registry. You either provide a key, or have Venafi Platform generate a key for you. You must use the same encryption key on all Venafi servers.

To export your software key for backup or to us on another server, you can use the Venafi Configuration Console (VCC), or you can use the command line.

For information on using VCC, see Backing up the software encryption key.

To backup using the command line, run the following command:

tppconfiguration.exe -keyexport:<file-path>

Hardware Encryption

If you select hardware encryption, your encryption material will be stored on a SafeNet Luna SA or Entrust nShield hardware security module (HSM).

NOTE  While most other uses of HSMs require Venafi Advanced Key Protect (AKP), you can encrypt secrets in your database using an HSM without a license for AKP.

More information on hardware encryption can be found at Using HSM-protected encryption keys.

Tips for using both types of encryption

You can use both software and hardware encryption. If you choose to do so, there are some things you should be aware of.

  • During a first-time install, you can configure both software and hardware encryption.
  • When you install on subsequent servers, you must use the same configuration as the initial installation.
  • On subsequent servers, if you only used only one form of encryption, the other encryption screen is disabled, since the system detects it is not required.

Adding software encryption to an existing system

If you install with only hardware encryption, and later go back to add software encryption, there are specific steps to follow because you will have one Venafi server with software encryption and your other servers won't be able to connect to the newly-encrypted database. Follow these steps to apply software encryption to your HSM-protected cluster:

On the first server (it doesn't matter which of your servers you pick):

  1. Stop all services.
  2. In Venafi Configuration Console (VCC), open Connectors > SoftwareProperties and enable Encryption and Key Generation.
  3. Close VCC, then reopen it.

    This procedure triggers the platform to generate a software key.

    Export the new key, using the console, or using the following command line switch:

    tppconfiguration.exe -keyexport:<file-path>

  4. Restart services.

On all other servers in the cluster:

  1. Stop all services.
  2. Using the command line, import the key using the following command line switch:

    tppconfiguration.exe -keyimport:<file-path>

    For example:

    tppconfiguration.exe -keyimport:c:\software-key.pem

    You'll be asked to provide the password for the PEM file, then the key will be imported.

  3. Restart all services.

Read more about how to use tppconfiguration.exe and associated command line switches at Command line configuration switches.