Configure encryption keys on the instance

Edge Encryption provides the tools to manage encryption keys without taking the proxy offline.

Before you begin

Role required: security-admin
Before setting up new encryption keys on the instance, you must do the following.
  1. Create the encryption key.
  2. Make the new key available to all encryption proxies. You can accomplish this by either copying the file or Java KeyStore file to each proxy, or ensuring that each proxy has access to the Java KeyStore or NAE device.

About this task

Key aliases must be unique. Each key alias must have the same key size and type on each proxy, or the key cannot be assigned as the default.

Procedure

  1. Navigate to Edge Encryption Configuration > Encryption Key Configuration > Set Up Keys
    The Encryption Key Configuration - Created form is shown.
  2. Add new keys
    Rows in the list with an X in the left column can be deleted. Keys that have been used as the default, or are in the Available state cannot be deleted.
    1. In the row that says Insert a new row... double-click.
      An edit box is shown.
    2. Enter a name for the key, then click the check mark.
      Key aliases are lowercase letters and numbers. Capital letters are changed to lowercase letters when you click Submit. Key aliases must be unique.
    3. In the same row, double-click in the Key size column.
      A select box is shown.
    4. Select a key size, either 128 bits or 256 bits, then click the check mark.
    5. In the same row, double-click in the Type column.
      A select box is shown.
    6. Select a key type, either File, Keystore, or SafeNet, then click the check mark.
    7. When you are done adding keys, click Next Step.
      You must specify an alias, key size, and key type for each key before moving on.
      The form moves to the Key Status step.
  3. When the key status becomes Available, click Next Step.
    The instance tracks the status of every encryption key available to any proxy. When a key alias is available on all proxies, its state becomes Available. If, after a few minutes, the state does not change, check to ensure that the key is available on all proxies. If the state remains Unavailable, one or more of the proxies does not have the key alias.
    Table 1. Encryption key states
    Status Description
    Available All online proxies have the key.
    Unavailable This is a new key and the proxies have not yet loaded the key, or at least one proxy failed to load the key.
  4. On the Change Default Keys tab, either type in the key alias, or click the spy glass icon and select an alias, and then click Next Step.
    The form moves to the Schedule Key Rotation step.
  5. If desired, create and run a mass encryption job to encrypt existing data using the new encryption key.

    If you do not run a mass encryption job, existing data remains encrypted with the old key until the data is accessed again.