Configuring the root encryption driver
IMPORTANT By default, only Master Administrators can view, edit, or delete Encryption objects in the Encryption tree.
The following table describes the available settings and options for the root Report object.
Field |
Description |
---|---|
Encryption Tab |
|
Rotate |
Allows you to automatically re-encrypt all objects in the tree with the designated encryption key. This action re-encrypts all objects encrypted with the designated key. This includes certificates, private keys, SSH keys, symmetric keys, and all credentials. This option allows organizations that already have secrets encrypted with the software key to migrate to an HSM-based key in a single action. Likewise, organizations that must periodically rotate their encryption keys can now do so in a single action. For more information, see Rotate Secret Store encryption keys. While you can rotate keys in the Policy Tree, we recommend you rotate keys in the Venafi Configuration Console. |
Default Key Generation |
Encryption driver used to generate symmetric or asymmetric key pairs in Trust Protection Platform. When Trust Protection Platform generates the CSR on the server, this global setting determines which encryption driver is used to generate a new key pair. The Generate Key/CSR on Application setting in the Certificate object allows you to determine where the CSR and the private key are generated. For more information on this settings, see About certificate object settings. Not all encryption drivers support key generation in Trust Protection Platform. Only encryption drivers that support key generation are available in the drop-down menu. If you want your SSH keys to be generated on a remote system, this setting must be set to the remote system where all the SSH keys will be generated. If you want to override this for certificates, you can do so via policy. |
General Tab |
|
Log Tab |
Provides a view of all events triggered for the current object. An administrator must have a minimum of the Read permission to view this tab. For more information on the Log tab options, see Viewing log events. |
Permissions tab |
On the Permissions tab, you select the users or groups to whom you want to grant permissions to the current object. Then, you select which permissions you want the users or groups to have. You can also manage object permissions via parent objects, including the root Platform object or the Trust Protection Platform server object (found in the Platforms tree). If you configure Permissions in a parent object, those permissions are inherited by all subordinate objects. |