Rotate the System Protection Key

Rotating the System Protection Key will generate a new encryption key and re-encrypt all objects in the Trust Protection Platform database that are currently encrypted with the System Protection Key. When you rotate encryption keys, the system searches for all assets that are encrypted with the old key, decrypts them, encrypts them with the new key, and stores the newly encrypted value back in the database.

NOTE  To learn more about how Trust Protection Platform uses the system protection key to protect assets, see Managing system encryption keys

DID YOU KNOW?  Rotating the System Protection Key is different than rotating a Secret Store Key that may be applied to a specific policy folder. The System Protection Key is the default key used to encrypt secrets where no other Secret Store Key is used. To rotate a Secret Store Key, see Rotate Secret Store encryption keys

Rotating secret key store keys involves changing the encryption keys used to secure the information stored in the Trust Protection Platform. This process ensures that the keys are regularly updated to maintain security. During key rotation, the system searches for all assets that are encrypted with the old key, decrypts them, encrypts them with the new key, and stores the newly encrypted value back in the database. This rotation can be initiated from the Venafi Configuration Console and does not require any downtime.

On the other hand, rotating the system protection key is specifically related to encrypting secrets in the absence of other secret store keys. The system protection key is the default key used for this purpose. Rotating the system protection key involves creating a new encryption key and storing it on the selected encryption connector. The new key is encrypted using the current key and can be accessed by other Trust Protection Platform servers. During the rotation process, both the new and current keys remain active, allowing for a seamless transition without downtime. Once all objects have been re-encrypted with the new key, the current key is deleted from each Trust Protection Platform server.

In summary, rotating secret key store keys focuses on securing specific policy folders, while rotating the system protection key involves changing the default key used to encrypt secrets in the Venafi Trust Protection Platform.

  • When System Protection Key rotation is initiated, Trust Protection Platform directs the creation of a new encryption key and stores that key on the encryption connector that you select.

  • Trust Protection Platform encrypts the new key using the current key and stores it. The other Trust Protection Platform servers can then access the new key.

  • Once it's confirmed that every server in the cluster has the new key, the key rotation begins. Objects encrypted with the current key will be re-encrypted with the new key.

  • During key rotation, both the new key and the current key remain active on the Trust Protection Platform servers. This allows key rotation to happen in the background with no downtime.

  • Once all objects have been re-encrypted with the new key, the current key is deleted from each Trust Protection Platform server.

Before you begin

  • If you've set a policy to change your encryption key after a certain period, you'll want to use the ‘Rotate System Protection Key’ feature. This rotates every use of an encryption key—including in the Secret Store, registry, and config—to a new key.

  • If you work with multiple encryption keys and need to rotate a specific policy folder's key to another, choose the ‘Rotate Key’ option.

  • Make sure that you have a working HSM client on each server, and make sure that the HSM DLL file is in the same location on each server. To add a new HSM connector, see Creating a HSM (Cryptoki) connector.

  • Make sure that you have a backup of your current key. If you're using a software key, follow the steps in Backing up the software encryption key. For keys stored on an HSM, verify that your key has been backed up in a recent backup of your HSM.

IMPORTANT  After rotating your key, you will need to replace your existing answer file with a new answer file that contains your updated key. More information is provided after the steps in this procedure.

Steps for Key Rotation

  1. From the Venafi Trust Protection Platform server, open Venafi Configuration Console.

  2. In the left panel, click Connectors.

  3. In the Actions panel on the right, click Rotate TPP System Protection Key.

  4. In the New Key Name box, give this key a unique name.

  5. From the Connector drop-down menu, select the location where you want the new System Protection Key to be stored.

    NOTE  If you select a connector other than your currently-used connector, the new key will be stored on the connector that you select.

    You can see what connector you are currently using in the Encryption tree of Trust Protection Platform. Open the Trust Protection Platform web interface by going to https://<tpp-server-url>/aperture. From the Platform menu bar, click Policy Tree. Then, in the drop-down menu near the top left corner, select Encryption.

    The Default Key Generation box shows your currently-used encryption connector, and the Default Protection Key box shows the name of the currently-used key.

  6. From the Rotate Keys On drop-down menu, make a selection according to the following guidelines:

    • Selecting Any available server allows the first available Trust Protection Platform server in the cluster to perform the rotation. All other factors being equal, this is the recommended selection.

    • If you have one Trust Protection Platform with notably less latency to the database and to the HSM, we recommend selecting that server specifically.

    The keys will be rotated in the database by a single server, and all other servers will receive information about the new key.

  7. If you are rotating your key from software to hardware, selecting Disable software encryption will ensure that the software key is no longer used.

  8. Click Rotate.

    Depending on how many items there are to re-encrypt, this process may take a while. You can close the Rotate System Protection Key window, and the rotation will continue to run in the background. You can check the status of the rotation by going to https://<tpp-server-url>/aperture/platform/dashboard/tpp-services and opening the Platform menu.

IMPORTANT  Make sure to back up your new encryption key. If you've rotated a software key back into software, follow the steps in Backing up the software encryption key. If you've rotated the key to hardware, make sure you have backup procedures in place for your HSM.

IMPORTANT  If you are using answer files for Trust Protection Platform installations, you must create a new answer file that contains your update key. Follow the steps in Answer File wizard.

You can see the status of the key rotation task by using the Rotation Widget in the System Dashboard (Aperture).

Log events

You can view log events related to rotating the System Protection Key in the Venafi Event Viewer. The Venafi Event Viewer can be opened either from the Venafi Configuration Console on the Trust Protection Platform server or by using the MMC Snap-in collection.

In Venafi Event Viewer, you can set up a custom view to see log events related to System Protection Key rotation.

  1. To set up a custom view, open the Venafi Event Viewer and follow the steps in Custom Views.

  2. In the Event Sources section, expand the Venafi Secret Store grouping, then click the checkbox next to the following:

    • Secret Store - Key rotated. Log event that indicates the encryption key for a given object was rotated.

    • Secret Store - Keys rotated. Log event that indicates the key rotation is complete.

    • Secret Store - Server key rotation requested. Log event that indicates the initiation of the key rotation.