Perform encryption key rotation from the instance. Add a new key, change the default key assignment, and then schedule a mass key rotation or a single key rotation.

Before setting an encryption key as the default key, make the key available to each proxy. This ensures that the proxies have the key to encrypt data when the key is assigned as the default key. All proxies must have access to a key before that key can be assigned as the default key.

Warning: Before deleting a key from the proxy, set up and run a mass key rotation job to ensure that no data on the instance uses the key. If any information is still encrypted with that key, you cannot decrypt the information after you delete the key.

Edge filtering and sorting behavior

Whenever you change default keys, be sure to perform a key rotation (either mass or single key rotation). Otherwise, you may receive unexpected results when sorting and filtering records. For example, consider the following scenario:
  1. You create encrypted records using one encryption key.
  2. You create a new key and set it as default.
  3. You create a new set of encrypted records using the new encryption key.
If you filter by any encrypted field when connected through the Edge proxy, all records may not be filtered out correctly, or records may appear unexpectedly. The filter works only for records encrypted using the current default key. The records encrypted using the previous default key still appear in the list view.

If you sort by any encrypted field when connected through the Edge proxy, you see two groups of records with the same human readable text in the encrypted field.

Schedule a single key rotation job

Schedule a job to find data encrypted using a specified key alias and then re-encrypt the data with the current default encryption key. The data is decrypted before it is re-encrypted with the default key.

Before you begin

Role required: security_admin

Before scheduling this job, update the default key in Edge Encryption Configuration > Encryption Key Configuration > Set Default Keys.

Procedure

  1. Navigate to Edge Encryption Configuration > Maintenance > Schedule Single Key Rotation.
  2. Fill in the fields on the form as appropriate.
    FieldValue
    Name Enter a descriptive name.
    Job Type Select Single Key Rotation.
    Key Enter the key to be retired. Verify that this key is no longer the default key in Edge Encryption Configuration > Encryption Key Configuration > Set Default Keys.
    Estimate record count Total estimated number of records to process. Not available when running a single key rotation.
    Process Historical Records

    Select to process historical records in the Audit table if the field is audited. When encrypting historical records for a field in the Audit table, both new values and old values are encrypted. This field is read only and active.

    To learn more about audited fields, see Auditing.
    Estimate Maximum Audit Record Count Estimated maximum number of audited records to process. Not available when running a single key rotation.
    Active Clear this check box if you want to deactivate this job.
    Run Select the period between job executions.
    Starting Enter the date and time to run the job for the first time.
  3. Click the menu icon in the form header and select Save.
    Estimate Record Count is not supported when processing audited fields.

Schedule a mass key rotation job

Schedule a job to find data encrypted with any previous key, and then re-encrypt the data with the current default encryption keys. The data is decrypted before it is re-encrypted with the current default key.

Before you begin

Role required: security_admin

Procedure

  1. Navigate to All > Edge Encryption Configuration > Maintenance > Schedule Mass Key Rotation.
  2. Fill in the fields on the form as appropriate.
    FieldValue
    Name Enter a descriptive name.
    Job Type Select Mass Key Rotation.
    Estimate record count Total estimated number of records to process. Not available when running a mass key rotation.
    Process Historical Records

    Select to process historical records in the Audit table if the field is audited. When encrypting historical records for a field in the Audit table, both new values and old values are encrypted. This field is read only and active.

    To learn more about audited fields, see Auditing.
    Estimate Maximum Audit Record Count Estimated maximum number of audited records to process. Not available when running a mass key rotation.
    Active Clear this check box to deactivate this job.
    Run Select the period between job executions.
    Starting Enter the date and time to run the job for the first time.
  3. Click the menu icon in the form header and select Save.
    Estimate Record Count is not supported when processing audited fields.

Schedule an attachment key rotation job

Schedule a job to find attachments encrypted using a specified key alias, and then re-encrypt the attachments with the current default encryption key. The attachment is decrypted before it is re-encrypted with the default key.

Before you begin

Role required: security_admin

Procedure

  1. Navigate to All > Edge Encryption Configuration > Maintenance > Schedule Attachment Key Rotation.
  2. Fill in the fields on the form as appropriate.
    FieldValue
    Name Enter a descriptive name.
    Job Type Select Attachment Key Rotation.
    Active Clear the check mark if you want to deactivate this job.
    Table Select a table.
    Run Select the period between job executions.
    Starting Enter the date and time to run the job for the first time.
  3. Click the menu icon in the form header and select Save.
  4. To see an estimated count of records to be updated, click Estimated Record Count.
  5. To run the job immediately, click Execute Now.