Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Tasks

Rotate key

search

Please Note:

Rotate key

The key rotation process creates a new column to hold the data encrypted with the new key. Once the key rotation is complete, the column holding the old encrypted data is removed, and the new column is renamed as the old encrypted data column.

Steps

To rotate a key used for encrypting a column for standard encryption, run the following command:

    ./pdbctl rotate -a <algorithm> -c <column_name> -d <database_alias> -k <key_name> -t <table_name>

To rotate a key used for encrypting a column for FPE, run the following command:

    ./pdbctl rotatefpe -a <algorithm> -c <column_name> -d <database_alias> -k <key_name> -t <table_ name>

Flags description

The following table describes the flags and parameters associated with this command:

FlagData TypeDescription
-astringEncryption algorithm used to rotate the column.
Possible values are:
> AES-128
> AES-192
> AES-256
-bintBatch size to be rotated. The value must be an integer. This is an optional parameter.
Default values:
> 1 - For large data types
> 1000 - For other data types.
-dstringDatabase alias associated with the database user.
-hFlag to view help for the rotate command.
-istringNew IV value for the column.
-kstringKey generated on Key Manager to encrypt the column.
Note: The Key Manager user associated with the database alias must have encryption permission on the key.
-tstringTable name.
-- verbosePrint verbose logs.

Note: When performing re-encryption of large data types with batch size > 1, the following message is displayed: Re-Encrypting large datatype column(s) with batch size greater than 1 fails if it contains any data greater than 3936. Continue only if the data length is ≤ 3936, otherwise, use the default batch size.

Example

The following sample command rotates the key associated with the column CITY in the table CUSTOMERS for the alias demo:

./pdbctl rotate -a AES -c CITY -d demo -k key_2 -t CUSTOMERS

To check the changes in the encryption parameters set for the columns in the table CUSTOMERS due to key rotation, use the listcolumns command.

./pdbctl listcolumns -a demo -t CUSTOMERS

Output

Column name: CUSTOMER_ID
Column type: NUMBER
Column width: 10
Column key: aes256
Column Algorithm: AES
Column Migrated: false
Column IV: 8D74E7CC0E659F2D8A8BC417750856FE
---------------------------------------------------------------
---------------------------------------------------------------
Column name: CUSTOMER_NAME
Column type: VARCHAR2
Column width: 50
Column key: aes256
Column Algorithm: AES
Column Migrated: false
Column IV: F1CCC60627D622C0535466C0BD1F9856
---------------------------------------------------------------
---------------------------------------------------------------
Column name: CITY
Column type: VARCHAR2
Column width: 50
Column key: **key_2**
Column Algorithm: AES
Column Migrated: false
Column IV: 4AAC53CB10E5E344F39686B0EC53AA34
---------------------------------------------------------------

In the output, the column key changed from aes256 to key_2 for the column CITY due to key rotation.

On this page