Changing the Encryption Key on Teradata Devices
To meet various compliance requirements, you may want to change the key that CTE used to encrypt the Teradata Database devices. This process is called “Key rotation” or “Rekey”.
If you want to rekey a Teradata Database device, you can either:
-
Follow the process for standard IDT-Capable GuardPoints. For details, see Changing the Encryption Key on Linux IDT-Capable Devices.
-
Use the Backup/Restore method as described in Initialize and Guard the Teradata Database Devices Using the Backup/Restore Method. The only differences between the initial configuration described in that section and rekey process are:
-
You do not need to change the policy assigned to the CTE Metadata Directory.
-
You need to create a new In-Place Data Transformation policy, that specifies a key rule with the existing key used to encrypt the Database devices in the Current Key field, and the new XTS/CBC-CS1 AES 256 key that you want to use to encrypt the data in the New Key field.
-
When you re-guard the designated node in each clique, make sure that you use the new policy so that CTE knows it needs to re-encrypt the data with the new key after you restore the devices from the backup.
Make sure that you stop the Teradata database before you rekey the devices.
Rekeying a device must be executed only on one and only one of the nodes in the cluster. DO NOT prepare the device for rekey or guard the device with the new rekey policy on multiple nodes in the cluster because doing so initiates the data transformation process on the device on multiple nodes. The simultaneous attempts to rekey the data can cause data corruption of all of the data on the entire device.
-