Rotate encryption keys

You can perform encryption key rotation from the instance. You can add a new key, change the default key assignment, and then schedule a mass key rotation job.

Before setting an encryption key as the default key, make the key available to each proxy. This ensures that the proxies have the key to encrypt data when the key is assigned as the default key. All proxies must have access to a key before it can be assigned as the default key.

Note: Before removing a key from the proxy, ensure that no data on the instance uses the key. You can do this by setting up and running a mass key rotation job.

Schedule a single key rotation job

You can schedule a job to find data encrypted using a specified key alias and then re-encrypt the data with the current default encryption key. The data is decrypted before it is re-encrypted with the default key.

Before you begin

Role required: security-admin

Before scheduling this job, make sure you update the default key in Edge Encryption Configuration > Encryption Key Configuration > Set Default Keys.

Procedure

  1. Navigate to Edge Encryption Configuration > Maintenance > Schedule Single Key Rotation.
  2. Fill in the fields on the form, as appropriate.
    Field Value
    Name Enter a descriptive name.
    Job Type Select Single Key Rotation.
    Key Alias Enter the key to be retired. Make sure this key is no longer the default key in Edge Encryption Configuration > Encryption Key Configuration > Set Default Keys.
    Active Clear this check box if you want to deactivate this job.
    Run Select the period between job executions.
    Starting Enter the date and time to run the job for the first time.
  3. Click the menu icon in the form header and select Save.
  4. To see an estimated count of records to be updated, click Estimate Record Count.

Schedule a mass key rotation job

You can schedule a job to find data encrypted with old keys and then re-encrypt the data with the current default encryption keys. The data is decrypted before it is re-encrypted with the current default key.

Before you begin

Role required: security-admin

Procedure

  1. Navigate to Edge Encryption Configuration > Maintenance > Schedule Mass Key Rotation.
  2. Fill in the fields on the form, as appropriate.
    Field Value
    Name Enter a descriptive name.
    Job Type Select Mass Key Rotation.
    Active Clear this check box if you want to deactivate this job.
    Run Select the period between job executions.
    Starting Enter the date and time to run the job for the first time.
  3. Click the menu icon in the form header and select Save.
  4. To see an estimated count of records to be updated, click Estimate Record Count.

Schedule an attachment key rotation job

You can schedule a job to find attachments encrypted using a specified key alias and then re-encrypt the attachments with the current default encryption key. The attachment is decrypted before it is re-encrypted with the default key.

Before you begin

Role required: security-admin

Procedure

  1. Navigate to Edge Encryption Configuration > Maintenance > Schedule Attachment Key Rotation.
  2. Fill in the fields on the form, as appropriate.
    Field Value
    Name Enter a descriptive name.
    Job Type Select Attachment Key Rotation.
    Active Clear the check mark if you want to deactivate this job.
    Table Select a table.
    Run Select the period between job executions.
    Starting Enter the date and time to run the job for the first time.
  3. Click the menu icon in the form header and select Save.
  4. To see an estimated count of records to be updated, click Estimated Record Count.
  5. To run the job immediately, click Execute Now.