Key management

You are responsible for providing and managing the encryption keys used by Edge Encryption.

When obtaining and creating encryption keys to support the encryption types used by Edge Encryption, you should consider the following:
  • Whether to use AES 128 or AES 256. You must define a default AES 128 encryption key even if it is not used.
  • Whether to use file store, Java KeyStore, or NAE.
  • When to rotate encryption keys.
  • When and if to use a mass encryption job to re-encrypt data using the new key.

Each key is defined by a set of properties. These properties must be the same in every proxy configuration (edgeencryption.properties) file. When adding a new key, also add the set of properties to each proxy configuration file. Removing the set of properties also removes the key from use. Before removing a key from the proxy configuration files and the key store, decrypt all data on the instance that uses the key. You can do this by adding a new encryption key and scheduling a single key rotation job.

A number is appended to the property to make the property unique. For example, edgeencryption.encrypter.type.1. The group of properties for a key must have the same number appended.