Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Tasks

Re-encrypt data with new key

search

Please Note:

printsuggest an edit

Re-encrypt data with new key

Although encryption provides a high level of data security, it is possible that given enough time and resources, a skilled attacker could compromise an encryption key. The best way to limit the effect of this attack is to rotate the keys used to encrypt your data. Key rotation should be included as a regular part of your security maintenance plan.

The key rotation process creates a new column to hold the data encrypted with the new key. Once the key rotation is complete, the column holding the old encrypted data is removed, and the new column is renamed as the old encrypted data column. CDP allows online key rotation; you do not need to take the tables offline during the key rotation process. You can select, insert, update, and delete records from the database tables while the migration or key rotation is in progress. However, the operations may fail momentarily while waiting for locks. You can re-execute the statements to solve this problem.

Important Notes

  1. Before you can rotate keys, you must create keys of the same type and size as the old keys. In addition, it is important that the group permissions are exactly the same in the new key as they were in the old key.

  2. The Database User Login that you specified while configuring the database connection to CipherTrust Manager must be mapped to the owner of the key being used for key rotation. If this is not the case, the key rotation will not complete successfully. For example, if you specify sa as Database User Loginand you want to use key1 for key rotation, then the database user sa must be mapped to the owner of key1 for successful key rotation.

  3. While using non-versioned keys, you cannot use the same key for key rotation. However, in case of versioned keys, you can use the same key but the latest active version for key rotation. This allows you to re-encrypt the data (encrypted using an older version of the key) with the latest active version of the key.

  4. Key rotation is allowed in the following cases:

    • From a version of a versioned key to the latest active version of the same key.

    • From a versioned key to a different versioned key.

    • From a non-versioned key to a versioned key.

    • Key rotation from a versioned key to a non-versioned key is not allowed. If you select a non-versioned key as the new key for key rotation, an error is returned.

  5. Although the possibility of data loss during key rotation is extremely low, it is recommended to take backup of your existing data before performing key rotation. You can restore your data in the event of any data loss during the key rotation.

copy link to clipboardPrerequisite

The pdbctl utility must be installed. Refer to pdbctl utility documents for details.

copy link to clipboardSteps

To rotate a key used for encrypting a column for standard encryption, run the following command:

./pdbctl rotate -a <algorithm> -c <column_name> -d <database_alias> -k <key_name> -t <table_name>

To rotate a key used for encrypting a column for FPE, run the following command:

./pdbctl rotatefpe -a <algorithm> -c <column_name> -d <database_alias> -k <key_name> -t <table_ name>

copy link to clipboardFlags description

The following table describes the flags and parameters associated with this command:

FlagData TypeDescription
-astringEncryption algorithm used to rotate the column.
Possible values are:
> AES-128
> AES-192
> AES-256
-bintBatch size to be rotated. The value must be an integer. This is an optional parameter.
Default values:
> 1 - For large data types
> 1000 - For other data types.
-dstringDatabase alias associated with the database user.
-hFlag to view help for rotate command.
-istringNew IV value for the column.
-kstringKey generated on Key Manager to encrypt the column.
Note: The Key Manager user associated with the database alias must have encryption permission on the key.
-tstringTable name.
-- verbosePrint verbose logs.

Note

  • When performing re-encryption of large data types with batch size > 1, the following message is displayed:
    Re-Encrypting large datatype column(s) with batch size greater than 1 fails if it contains any data greater than 3936.

  • Continue only if the data length is ≤ 3936, otherwise, use the default batch size.

copy link to clipboardExample

The following sample command rotates the key associated with the column CITY in the table CUSTOMERS for the alias demo:

./pdbctl rotate -a AES -c CITY -d demo -k key_2 -t CUSTOMERS

To check the changes in the encryption parameters set for the columns in the table CUSTOMERS due to key rotation, use the listcolumns command.

./pdbctl listcolumns -a demo -t CUSTOMERS

The output is:

Column name: CUSTOMER_ID
Column type: NUMBER
Column width: 10
Column key: aes256
Column Algorithm: AES
Column Migrated: false
Column IV: 8D74E7CC0E659F2D8A8BC417750856FE
---------------------------------------------------------------
---------------------------------------------------------------
Column name: CUSTOMER_NAME
Column type: VARCHAR2
Column width: 50
Column key: aes256
Column Algorithm: AES
Column Migrated: false
Column IV: F1CCC60627D622C0535466C0BD1F9856
---------------------------------------------------------------
---------------------------------------------------------------
Column name: CITY
Column type: VARCHAR2
Column width: 50
Column key: **key_2**
Column Algorithm: AES
Column Migrated: false
Column IV: 4AAC53CB10E5E344F39686B0EC53AA34
---------------------------------------------------------------

In the output, the column key changed from aes256 to key_2 for the column CITY due to key rotation.

On this page