Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Tasks

Key Rotation

search

Please Note:

Key Rotation

Rotation of User Key (CipherTrust Manager Key Rotation):

ProtectApp LUKS comes with the support of Key Rotation feature.

You need to create a Versioned Key on CipherTrust Manager and then the later versions of that key can be created for Key Rotation. For more details, refer Key Rotation on CM.

Note

  • Make sure you select the check box Set as "Versioned Key" for backwards compatibility while creating a Versioned Key on CM.

  • The version '0' in the config file indicates that the key is non-versioned. For a versioned key, the version 'x' on the CM is automatically set to 'x+1' in the config file. For more information, refer to Versioned Keys on CM.

Perform the following steps:

  1. To initialize the volume, execute the following command:

    cryptsetup -q -v luksFormat /dev/<disk_name>

    The disk will be formatted with the latest version of the key provided in ks_user_config file.

  2. To create a mapping of the volume, execute the following command. It prompts for a passphrase (only for User based Authentication) and creates the mapping. After executing this command, the encrypted device is ready to be mounted/remounted and used.

    cryptsetup luksOpen /dev/<disk_name> backup

Note

  • If the versioned key is rotated through CM, the luksOpen command will internally rotate the existing key with the latest version of the key. And the latest version will be updated in ks_user_config file.

  • After rotating a versioned key, if you run the luksOpen command, the new key salt is added to the first free available slot.

For more details on mount/remount of LUKS device, refer Create Mapping of LUKS Device.

Rotation of Master Key

LUKS can rotate the master key that was used for the disk encryption.

Note

Ensure the disk is in inactive state before rotating the master key by using:

cryptsetup luksClose backup

To rotate the master key, execute cryptsetup-reencrypt command:

cryptsetup-reencrypt /dev/<disk_name>

To verify the rotation of master key, execute the following command:

cryptsetup luksDump -q --dump-master-key /dev/<disk_name>

Warning

Do not rotate the user key available on CM while rotating master key.

If you have rotated the key through CM, then master key can only be rotated by providing last used key slot number.

cryptsetup-reencrypt /dev/<disk_name> -S <slot number>

On this page