Re-encrypt data with new key
Although encryption provides a high level of data security, it is possible that given enough time and resources, a skilled attacker could compromise an encryption key. The best way to limit the effect of this attack is to rotate the keys used to encrypt your data. Key rotation should be included as a regular part of your security maintenance plan.
The key rotation process creates a new column to hold the data encrypted with the new key. Once the key rotation is complete, the column holding the old encrypted data is removed, and the new column is renamed as the old encrypted data column. CDP allows online key rotation; you do not need to take the tables offline during the key rotation process. You can select, insert, update, and delete records from the database tables while the migration or key rotation is in progress. However, the operations may fail momentarily while waiting for locks. You can re-execute the statements to solve this problem.
Important Notes
Before you can rotate keys, you must create keys of the same type and size as the old keys. In addition, it is important that the group permissions are exactly the same in the new key as they were in the old key.
The Database User Login that you specified while configuring the database connection to CipherTrust Manager must be mapped to the owner of the key being used for key rotation. If this is not the case, the key rotation will not complete successfully. For example, if you specify
sa
asDatabase User Login
and you want to usekey1
for key rotation, then the database usersa
must be mapped to the owner ofkey1
for successful key rotation.While using non-versioned keys, you cannot use the same key for key rotation. However, in case of versioned keys, you can use the same key but the latest active version for key rotation. This allows you to re-encrypt the data (encrypted using an older version of the key) with the latest active version of the key.
Key rotation is allowed in the following cases:
From a version of a versioned key to the latest active version of the same key.
From a versioned key to a different versioned key.
From a non-versioned key to a versioned key.
Key rotation from a versioned key to a non-versioned key is not allowed. If you select a non-versioned key as the new key for key rotation, an error is returned.
Although the possibility of data loss during key rotation is extremely low, it is recommended to take backup of your existing data before performing key rotation. You can restore your data in the event of any data loss during the key rotation.
Prerequisite
The pdbctl utility must be installed. Refer to pdbctl utility documents for details.
Steps
To rotate a key used for encrypting a column for standard encryption, run the following command:
./pdbctl rotate -a <algorithm> -c <column_name> -d <database_alias> -k <key_name> -t <table_name>
To rotate a key used for encrypting a column for FPE, run the following command:
./pdbctl rotatefpe -a <algorithm> -c <column_name> -d <database_alias> -k <key_name> -t <table_ name>
Flags description
The following table describes the flags and parameters associated with this command:
Flag | Data Type | Description |
---|---|---|
-a | string | Encryption algorithm used to rotate the column. Possible values are: > AES-128 > AES-192 > AES-256 |
-b | int | Batch size to be rotated. The value must be an integer. This is an optional parameter. Default values: > 1 - For large data types > 1000 - For other data types. |
-d | string | Database alias associated with the database user. |
-h | Flag to view help for rotate command. | |
-i | string | New IV value for the column. |
-k | string | Key generated on Key Manager to encrypt the column. Note: The Key Manager user associated with the database alias must have encryption permission on the key. |
-t | string | Table name. |
-- verbose | Print verbose logs. |
Note
When performing re-encryption of large data types with batch size > 1, the following message is displayed:
Re-Encrypting large datatype column(s) with batch size greater than 1 fails if it contains any data greater than 3936.
Continue only if the data length is ≤ 3936, otherwise, use the default batch size.
Example
The following sample command rotates the key associated with the column CITY
in the table CUSTOMERS
for the alias demo
:
./pdbctl rotate -a AES -c CITY -d demo -k key_2 -t CUSTOMERS
To check the changes in the encryption parameters set for the columns in the table CUSTOMERS
due to key rotation, use the listcolumns
command.
./pdbctl listcolumns -a demo -t CUSTOMERS
The output is:
Column name: CUSTOMER_ID
Column type: NUMBER
Column width: 10
Column key: aes256
Column Algorithm: AES
Column Migrated: false
Column IV: 8D74E7CC0E659F2D8A8BC417750856FE
---------------------------------------------------------------
---------------------------------------------------------------
Column name: CUSTOMER_NAME
Column type: VARCHAR2
Column width: 50
Column key: aes256
Column Algorithm: AES
Column Migrated: false
Column IV: F1CCC60627D622C0535466C0BD1F9856
---------------------------------------------------------------
---------------------------------------------------------------
Column name: CITY
Column type: VARCHAR2
Column width: 50
Column key: **key_2**
Column Algorithm: AES
Column Migrated: false
Column IV: 4AAC53CB10E5E344F39686B0EC53AA34
---------------------------------------------------------------
In the output, the column key
changed from aes256
to key_2
for the column CITY
due to key rotation.