Rotate Secret Store encryption keys

The Venafi Configuration Console provides the ability to rotate the encryption keys used to secure the information stored in Venafi Trust Protection Platform.

When you rotate the encryption keys, the system searches for all assets that are encrypted with the old key, decrypts them, encrypts them with the new key, and stores the newly encrypted value back in the database.

DID YOU KNOW?  Rotating Secret Store Keys is different than rotating the System Protection Key. The System Protection Key is the default key used to encrypt secrets where no other Secret Store Key is used. To rotate a Secret Store Key, see Rotate the System Protection Key.

Rotating secret key store keys involves changing the encryption keys used to secure the information stored in the Trust Protection Platform. This process ensures that the keys are regularly updated to maintain security. During key rotation, the system searches for all assets that are encrypted with the old key, decrypts them, encrypts them with the new key, and stores the newly encrypted value back in the database. This rotation can be initiated from the Venafi Configuration Console and does not require any downtime.

On the other hand, rotating the system protection key is specifically related to encrypting secrets in the absence of other secret store keys. The system protection key is the default key used for this purpose. Rotating the system protection key involves creating a new encryption key and storing it on the selected encryption connector. The new key is encrypted using the current key and can be accessed by other Trust Protection Platform servers. During the rotation process, both the new and current keys remain active, allowing for a seamless transition without downtime. Once all objects have been re-encrypted with the new key, the current key is deleted from each Trust Protection Platform server.

In summary, rotating secret key store keys focuses on securing specific policy folders, while rotating the system protection key involves changing the default key used to encrypt secrets in the Venafi Trust Protection Platform.

Before you begin

  • If you've set a policy to change your encryption key after a certain period, you'll want to use the ‘Rotate System Protection Key’ feature. This rotates every use of an encryption key—including in the Secret Store, registry, and config—to a new key.

  • If you work with multiple encryption keys and need to rotate a specific policy folder's key to another, choose the ‘Rotate Key’ option.

  • Make sure that all services will remain running until the task is completed.

  • You can see the status of the key rotation task by using the Rotation Widget in the System Dashboard (Aperture).

To rotate encryption keys

  1. From the Venafi Trust Protection Platform server, open Venafi Configuration Console.
  2. In the left panel, click Connectors.
  3. In the center panel, click the key that you want to rotate.
  4. In the Actions panel on the right, click Rotate Keys...
  5. (Conditional) If requested, enter the Venafi Platform administrator user name and password.
  6. Select the old key from the list.
  7. Select the new key from the list.
  8. Click Rotate.

Depending on how many objects were encrypted with the old key, this process may take some time. Do not exit the Configuration Console until the key rotation process is complete.