Keys in LDT (Versioned Keys)
LDT uses versioned keys. Each version of a particular versioned key has the same key name and encryption algorithm, but its own unique cryptographic material. That means that data encrypted with version 3 of a key named LDT-Key
cannot be decrypted by any other version of LDT-Key
, even though the key name remains the same.
Versioning allows you to add one key to your LDT encryption policy and then use different versions of that same key to periodically re-encrypt your data over time. LDT uses the new key material to transform data to the new key version, as part of the same Live Data Transformation policy that also protects the data. The process of re-encrypting data with a new version of the existing key is called Key Rotation.
In CipherTrust Manager, you can create a versioned key and then add that key to one or more Live Data Transformation policies. When you use CipherTrust Manager to create a new version of the key, CipherTrust Manager automatically pushes the new key version to any CTE clients associated with the Live Data Transformation policies that contain the key. As soon as the CTE Agent receives the new key, it begins transforming the data to the new key version in the background.
You can also create a Key Rotation Schedule in CipherTrust Manager that automatically rotates your keys periodically. When the scheduled rekey date is reached, CipherTrust Manager automatically creates a new key version and pushes it to any CTE clients that are associated with any policies that include the key. When CTE receives the new key version, it automatically starts the rekey process on the affected LDT GuardPoints.
Rekey | Key Rotation
In LDT, rekeying or key rotation means decrypting the data with a previous version of the key and re-encrypting it with a new version of the key. LDT allows users and applications to access data while LDT is rekeying the data. Rotating the key and re-encrypting the GuardPoint data with the new version of the key helps to maintain a high level of data security.
Most often, the rekey happens automatically based the Key Schedule defied in CipherTrust Manager, but you can also generate a new version of the key whenever you want to rekey the GuardPoints associated with that key.