MKEK Rotation
The CipherTrust Manager allows you to rotate the Master Key Encryption Key (MKEK). Key rotation protects the key material from malicious interceptions. For CipherTrust Managers using a Hardware Security Module (HSM) as a root of trust, you can also rotate the Root of Trust (RoT) key which is above the MKEK on the key hierarchy.
Note
Only Admin in the root domain is allowed to use MKEK APIs.
Managing MKEK using ksctl
The following operations can be performed:
Rotate MKEK
Get details of MKEK
List all MKEKs
Rotating MKEK
The rotation of a MKEK generates a new MKEK in a clustered as well as in a non-clustered setup. The secrets also get migrated to the new MKEK. It allows you to provide a custom name to the newly generated MKEK.
To rotate an MKEK, run:
Syntax
Example Request
Example Response
Note
The sealer_name
parameter value signifies whether the HSM is configured for the given instance of CipherTrust Manager. Values are:
none
- HSM is not configured.rapido
- HSM is configured.
Getting Details of MKEK
To get details of an MKEK, run:
Syntax
Example Request
Example Response
Getting List of MKEKs
To get a list of MKEKs, run the following command. By default it returns only one MKEK on the system.
Syntax
Example Request
Example Response
If you fetch the list of MKEKs during rotation process, it returns more than one MKEK on the system. To get a list of all MKEKs, run:
Syntax
Example Request
Example Response
In the above example response, you can see the two (2) MKEKs being listed. The MKEK with "is_default": true
parameter is the newly generated default MKEK. The other MKEK is the MKEK before rotation, which stays temporarily until the rotation process is complete.