Rotate Secret Store encryption keys

The Venafi Configuration Console provides the ability to rotate the encryption keys used to secure the information stored in Venafi Trust Protection Platform.

When you rotate the encryption keys, the system searches for all assets that are encrypted with the old key, decrypts them, encrypts them with the new key, and stores the newly encrypted value back in the database.

DID YOU KNOW?  Rotating Secret Store Keys is different than rotating the System Protection Key. The System Protection Key is the default key used to encrypt secrets where no other Secret Store Key is used. To rotate a Secret Store Key, see Rotate the System Protection Key.

To rotate encryption keys

  1. From the Venafi Trust Protection Platform server, open Venafi Configuration Console.
  2. In the left panel, click Connectors.
  3. In the center panel, click the key that you want to rotate.
  4. In the Actions panel on the right, click Rotate Keys...
  5. (Conditional) If requested, enter the Venafi Platform administrator user name and password.
  6. Select the old key from the list.
  7. Select the new key from the list.
  8. Click Rotate.

Depending on how many objects were encrypted with the old key, this process may take some time. Do not exit the Configuration Console until the key rotation process is complete.