How to Rotate a Key
Key rotation is the act of creating new key bytes (a new key version) and using those key bytes for future encryption. Existing data is not affected.
A Thales token vault is always encrypted with a versioned key. This type of key maintains a specific set of metadata (algorithm, key length, permissions, etc.) but its key bytes, the values used in the actual encryption algorithm, are different for each version of the key.
Because Thales token vaults use versioned keys, key rotation involves simply creating a new key version using the Key Manager. The Key Manager administrator does not need access to the token vault.
You can rotate keys using either of the following ways:
Using CT-V Client
You can also rotate a key by calling RotateKey from a CT-V client. Use the following command to rotate a key:
java -cp SafeNetTokenService-8.12.4.000.jar com.safenet.token.RotateKey dbtable naeUser naePassword dbUser dbPswd
You can also provide database properties while rotating the key as shown below:
java -cp SafeNetTokenService-8.12.4.000.jar com.safenet.token.RotateKey dbtable naeUser naePassword dbUser dbPswd [HostName=<DB HostName>] [Port=<DB Port>] [DBName=<DB Name>]
Where,
dbtable is the token vault - it must be in CAPITAL letters
naeUser is the Key Manager user name
naePassword is the Key Manager password
name, dbUser is the name of the database user
dbPswd is the database user’s password
HostName is the database host name where your token vault resides
Port is the database port
DBName is the database name
Note
If the HostName, Port, and DBName parameters are configured, these values are given precedence over the values specified in the SafeNetToken.properties file and these parameters are supported for MySQL database only.
The last three points are optional.