MKEK Rotation
The CipherTrust Manager allows you to rotate the Master Key Encryption Key (MKEK). Key rotation protects the key material from malicious interceptions. For CipherTrust Managers using a Hardware Security Module (HSM) as a root of trust, you can also rotate the Root of Trust (RoT) key which is above the MKEK on the key hierarchy.
Note
Only Admin in the root domain is allowed to use MKEK APIs.
Managing MKEK using ksctl
The following operations can be performed:
Rotate MKEK
Get details of MKEK
List all MKEKs
Rotating MKEK
The rotation of a MKEK generates a new MKEK in a clustered as well as in a non-clustered setup. The secrets also get migrated to the new MKEK. It allows you to provide a custom name to the newly generated MKEK.
To rotate an MKEK, run:
Syntax
ksctl mkeks rotate --name <CustomName>
Example Request
ksctl mkeks rotate --name test
Example Response
{
"id": "9fb3264f-33ad-4f2b-ba5f-b3e841543bd9",
"name": "test",
"is_default": true,
"created_at": "2021-03-09T07:21:06.541873461Z",
"sealer_name": "none"
}
Note
The sealer_name
parameter value signifies whether the HSM is configured for the given instance of CipherTrust Manager. Values are:
• none
- HSM is not configured.
• rapido
- HSM is configured.
Getting Details of MKEK
To get details of an MKEK, run:
Syntax
ksctl mkeks get -i <mkek_id>
Example Request
ksctl mkeks get --id 9fb3264f-33ad-4f2b-ba5f-b3e841543bd9
Example Response
{
"id": "9fb3264f-33ad-4f2b-ba5f-b3e841543bd9",
"name": "test",
"is_default": true,
"created_at": "2021-03-09T07:21:06.541873461Z",
"sealer_name": "none"
}
Getting List of MKEKs
To get a list of MKEKs, run the following command. By default it returns only one MKEK on the system.
Syntax
ksctl mkeks list
Example Request
ksctl mkeks list
Example Response
{
"total": 1,
"info": [
{
"id": "658027ff-9780-4e9c-9041-cec99516a162",
"name": "mkek_sample_name",
"is_default": true,
"created_at": "2021-03-09T07:16:55.864674685Z",
"sealer_name": "none"
}
]
}
If you fetch the list of MKEKs during rotation process, it returns more than one MKEK on the system. To get a list of all MKEKs, run:
Syntax
ksctl mkeks list --all
Example Request
ksctl mkeks list --all
Example Response
{
"total": 2,
"info": [
{
"id": "632ac9aa-f927-4704-b9af-859b5e42fc8b",
"name": "632ac9aa-f927-4704-b9af-859b5e42fc8b",
"created_at": "2021-03-08T10:40:34.038989394Z",
"sealer_name": "none"
},
{
"id": "658027ff-9780-4e9c-9041-cec99516a162",
"name": "mkek_sample_name",
"is_default": true,
"created_at": "2021-03-09T07:16:55.864674685Z",
"sealer_name": "none"
}
]
}
In the above example response, you can see the two (2) MKEKs being listed. The MKEK with "is_default": true
parameter is the newly generated default MKEK. The other MKEK is the MKEK before rotation, which stays temporarily until the rotation process is complete.