Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Rotating Encryption Keys (Rekey)

Creating a Key Rotation Schedule

search

Please Note:

printsuggest an editpdf paneldownload

Creating a Key Rotation Schedule

In CipherTrust Manager, you can create an automatic key rotation schedule that will automatically rotate all of the keys included in the schedule on a periodic basis. As soon as CipherTrust Manager creates a new version of a key, it pushes the new version to any clients associated with the policies that use the key. If the policy is a Live Data Transformation policy, CTE automatically begins rekeying the data in the LDT GuardPoint with the new version of the key.

  1. In the CipherTrust Manager Applications Page, open the Admin Settings application.

  2. Click Schedules in the left-hand menu bar.

    CipherTrust Manager displays the existing key rotation and backup schedules that have been defined in the system. Thales strongly recommends that you look at any existing key rotation schedules to make sure that the keys you want to rotate are not already included in one of those existing schedules.

    If the existing key rotation schedules do not include the keys you want to rotate, continue with this procedure to create a new schedule.

  3. On the Schedules page, click Add Schedule.

  4. On the Select Schedule Type page, click Key Rotation and click Next.

  5. Add a schedule name and description. Make sure you name the schedule as descriptively as possible so that other users can tell at a glance what keys that schedule includes. For example, you could name the schedule "Rotate-LDT-Keys" and use the description "Rotates all keys with "LDT" in their name on a yearly basis."

    When you are done, click Next.

  6. On the Schedule Config page, enter the following information:

    • Duration. Enter the day and time on which CipherTrust Manager should start using the key rotation schedule in the Schedule Starts field. When this day and time is reached, CipherTrust Manager looks at the date in the Frequency section and automatically creates a new version on that date.

      Enter the day the schedule should end in the Schedule Ends field, or select the Never check box to tell CipherTrust Manager there is no end date for this key rotation schedule. If you select a date in this field, CipherTrust Manager automatically stops creating new key versions when that day and time are reached.

    • Frequency. Select the Basic radio button to specify the frequency (daily, weekly, monthly, or yearly) and the UTC time at which CipherTrust Manager should automatically rotate the key after the schedule starts.

      Select the Raw (Cron) radio button to create a cron job to control the key rotation schedule. Specify cron format in the following order:

      minute, hour, day of month, month, and day of week

      These five values indicate when the job should be executed. These values are mandatory and must be specified in the order given. The allowable values are:

      Field Allowed Values
      minute 0-59 or * / , -
      hour 0-23 or * / , -
      day of month 1-31 or * / , -
      month 1-12 or JAN-DEC or * / , -
      This field is case in-sensitive, so JAN, Jan, or jan are all equally valid.
      day of week 0-6 or SUN-SAT or * / , -
      This field is case in-sensitive, so SAT, Sat, or sat are all equally valid.

      Examples:

      • December 31 at 2:35 AM UTC could be specified as: 35 2 31 Dec *.

      • On the 25th of every April, August, and December at midnight UTC could be specified as: 0 25 APR,Aug,dec *.

      • Every Monday, Wednesday, and Friday at 8:00 PM UTC could be specified as: 0 20 * * 1,3,5.

      When you enter a Duration and a Frequency, CipherTrust Manager displays the next several times the key rotation will be run under the Frequency field. Make sure the key rotation will be done on the days you expect.

    Note

    While the specified time is in UTC, the scheduled run times are shown in your local time. Therefore there may not be an exact match between the time set in the Frequency field and the displayed run time.

    When you are done, click Next.

  7. On the Key Rotation Page page, specify the selection criteria you want CipherTrust Manager to use when it selects the keys it will rotate.

    Caution

    Make sure you are extremely careful when you specify the selection criteria so that you do not accidentally rotate keys that should not be rotated using this schedule. Whenever a new key is added to CipherTrust Manager, CipherTrust Manager compares its name and details to the filters set in all key rotation schedules defined in the Admin Settings application, and it automatically adds the new key to ALL key rotation schedules where it matches the selection criteria.
    If your selection criteria is too broad, you could accidentally rotate keys that should not be rotated by this key rotation schedule.

    You can enter a key name In the Name field, or select any of the available filters from the drop-down lists. The Selected Keys table shows the keys that will be rotated by this schedule.

    CipherTrust Manager displays the current list of keys that match this criteria in the Selected Keys table. Make sure you go through this list carefully so that you do not rotate keys you do not want to rotate.

    For example, you can rotate all keys with "ldt" anywhere in their name by specifying *ldt* in the Name field:

    If you only want to rotate the keys whose names begin with "ldt", use the query ldt* in the Name field. In the example above, that removes My_LDT_Key from the list of keys that will be rotated.

    The search is case insensitive, so "ldt" will also match LDT, lDt, ldT, or any variation thereof.

    When you are certain the list of keys to be rotated is accurate, click Save.

On this page