Rekeying Overview

Data encryption keys are the keys used to encrypt data in a GuardPoint. Rekeying, also called key rotation, is the process of changing the encryption key used to encrypt your GuardPoint data. Changing GuardPoint encryption keys increases security and is required in some organizations. Best practices covered in the National Institute of Standards and Technology (NIST) Special Publication 800-57 dictate that encryption keys should be rotated periodically to ensure the security of data from compromise. This security, however, comes at a cost – namely, downtime to perform the re-encryption of the data.

There are two methods for rekeying:

• Using the dataxform utility — Data is encrypted in-place using the dataxform utility. This method is fast and easy, but requires total and exclusive access to the GuardPoint. All users and applications are blocked from accessing the data until dataxform is finished executing. See Rekeying with dataxform.

• Manual copying — A GuardPoint is created on a new directory or device and guarded using a new encryption key. Then the data is copied from the original GuardPoint to the new GuardPoint. During the copy, data is decrypted with the original key and encrypted with the new key when it is placed in the new GuardPoint. This method does not require exclusive access to the original GuardPoint, but requires extra storage space of at least the amount of data to be copied. It also requires more steps to ensure that the newly re-encrypted data is both protected by a policy using the new key and known to users or applications that require access to the data. See Rekeying Using the Manual Copy Method.