Rotate encryption keys

Edge Encryption provides the tools to support encryption key rotation.

About this task

Before setting an encryption key as the default key on any proxy, add the encryption key to all proxies and restart the proxies. This ensures that the proxies have the key to decrypt fields that are encrypted with the new default key assignment. You must restart the proxy after adding a new key and after setting a new key as the default key.

Note: Before removing a key from the proxy configuration files and the key store, ensure that no data on the instance uses the key. You can do this by setting up and running a single key rotation job.

Procedure

  1. Obtain the new encryption key and make it accessible to all encryption proxies.
  2. For each encryption proxy, add the new encryption key.
    1. Edit the encryption properties file to add the new key.

      This can be adding an encryption key stored in a file store, Java KeyStore, or NAE key store and adding the necessary properties. After updating the first proxy, you may be able to copy and paste the new encryption properties into subsequent encryption-proxy properties files.

    2. Shut down and restart the proxy.
  3. For each encryption proxy, set the new encryption key as the default key.
    1. Edit the encryption properties file to set the new key as the default key.
    2. Shut down and restart the proxy.
  4. If desired, create and run a mass encryption job to encrypt existing data using the new encryption key.

    You can change the default encryption key assignment so that all new data is encrypted using the new key, and let existing data remain encrypted with the old key until the data is accessed again.