Rotate the System Protection Key

Rotating the System Protection Key will generate a new encryption key and re-encrypt all objects in the Trust Protection Platform database that are currently encrypted with the System Protection Key. When you rotate encryption keys, the system searches for all assets that are encrypted with the old key, decrypts them, encrypts them with the new key, and stores the newly encrypted value back in the database.

NOTE  To learn more about how Trust Protection Platform uses the system protection key to protect assets, see Managing system encryption keys

DID YOU KNOW?  Rotating the System Protection Key is different than rotating a Secret Store Key that may be applied to a specific policy folder. The System Protection Key is the default key used to encrypt secrets where no other Secret Store Key is used. To rotate a Secret Store Key, see Rotate Secret Store encryption keys

  • When System Protection Key rotation is initiated, Trust Protection Platform directs the creation of a new encryption key and stores that key on the encryption connector that you select.

  • Trust Protection Platform encrypts the new key using the current key and stores it. The other Trust Protection Platform servers can then access the new key.

  • Once it's confirmed that every server in the cluster has the new key, the key rotation begins. Objects encrypted with the current key will be re-encrypted with the new key.

  • During key rotation, both the new key and the current key remain active on the Trust Protection Platform servers. This allows key rotation to happen in the background with no downtime.

  • Once all objects have been re-encrypted with the new key, the current key is deleted from each Trust Protection Platform server.

Before you begin

  • Make sure that you have a working HSM client on each server, and make sure that the HSM DLL file is in the same location on each server. To add a new HSM connector, see Creating a HSM (Cryptoki) connector.

  • Make sure that you have a backup of your current key. If you're using a software key, follow the steps in Backing up the software encryption key. For keys stored on an HSM, verify that your key has been backed up in a recent backup of your HSM.

  • Bring up all Trust Protection Platform servers. If any server is down, the key rotation can't complete.

IMPORTANT  After rotating your key, you will need to replace your existing answer file with a new answer file that contains your updated key. More information is provided after the steps in this procedure.

Steps

  1. From the Venafi Trust Protection Platform server, open Venafi Configuration Console.

  2. In the left panel, click Connectors.

  3. In the Actions panel on the right, click Rotate TPP System Protection Key.

  4. In the New Key Name box, give this key a unique name.

  5. From the Connector drop-down menu, select the location where you want the new System Protection Key to be stored.

    NOTE  If you select a connector other than your currently-used connector, the new key will be stored on the connector that you select.

    You can see what connector you are currently using in the Encryption tree of Trust Protection Platform. Open the Trust Protection Platform web interface by going to https://<tpp-server-url>/aperture. From the Platform menu bar, click Policy Tree. Then, in the drop-down menu near the top left corner, select Encryption.

    The Default Key Generation box shows your currently-used encryption connector, and the Default Protection Key box shows the name of the currently-used key.

  6. From the Rotate Keys On drop-down menu, make a selection according to the following guidelines:

    • Selecting Any available server allows the first available Trust Protection Platform server in the cluster to perform the rotation. All other factors being equal, this is the recommended selection.

    • If you have one Trust Protection Platform with notably less latency to the database and to the HSM, we recommend selecting that server specifically.

    The keys will be rotated in the database by a single server, and all other servers will receive information about the new key.

  7. If you are rotating your key from software to hardware, selecting Disable software encryption will ensure that the software key is no longer used.

  8. Click Rotate.

    Depending on how many items there are to re-encrypt, this process may take a while. You can close the Rotate System Protection Key window, and the rotation will continue to run in the background. You can check the status of the rotation by going to https://<tpp-server-url>/aperture/platform/dashboard/tpp-services and opening the Platform menu.

IMPORTANT  Make sure to back up your new encryption key. If you've rotated a software key back into software, follow the steps in Backing up the software encryption key. If you've rotated the key to hardware, make sure you have backup procedures in place for your HSM.

IMPORTANT  If you are using answer files for Trust Protection Platform installations, you must create a new answer file that contains your update key. Follow the steps in Answer File wizard.

Log events

You can view log events related to rotating the System Protection Key in the Venafi Event Viewer. The Venafi Event Viewer can be opened either from the Venafi Configuration Console on the Trust Protection Platform server or by using the MMC Snap-in collection.

In Venafi Event Viewer, you can set up a custom view to see log events related to System Protection Key rotation.

  1. To set up a custom view, open the Venafi Event Viewer and follow the steps in Custom Views.

  2. In the Event Sources section, expand the Venafi Secret Store grouping, then click the checkbox next to the following:

    • Secret Store - Key rotated. Log event that indicates the encryption key for a given object was rotated.

    • Secret Store - Keys rotated. Log event that indicates the key rotation is complete.

    • Secret Store - Server key rotation requested. Log event that indicates the initiation of the key rotation.