Expiring an encryption key
Security policies generally limit the amount of time an encryption key is in use; this section describes how to expire a key without re-encrypting the exiting data. After a key expires, it is no longer used to encrypt new data, but is still used to decrypt existing data.
|
To change the key used for both encryption and decryption, see Rekeying tables using a new key. |
Procedure
-
Get a list of the available keys and states from the KMIP server:
dsetool managekmip list <kmip_group_name>For example, the <host_name> has two keys:
Keys on <host_name>: ID Name Cipher State Activation Date Creation Date Protect Stop Date Namespace 02-449 82413ef3-4fa6-4d4d-9dc8-71370d731fe4_0 AES/CBC/PKCS5 Deactivated Mon Apr 25 20:25:47 UTC 2016 n/a n/a n/a 02-540 0eb2277e-0acc-4adb-9241-1dd84dde691c_0 AES Active Tue May 31 12:57:59 UTC 2016 n/a n/aDSE supports one or more KMIP hosts. Each KMIP host is defined under a user-defined kmip_group_name in the
kmip_hostssection of the dse.yaml. -
Expire the key:
-
Immediately expire the key:
dsetool managekmip expirekey <kmip_group_name> <key_id> -
Schedule an expiration date:
dsetool managekmip expirekey <kmip_group_name> <key_id> <datetime>After the key expires, the database gets a new key for encryption the next time it refreshes the key cache (
key_cache_millisin dse.yaml); the default setting is five minutes. Expired keys are still available to decrypt data.After the key expires, the database gets a new key for encryption the next time it refreshes the key cache (
key_cache_millisin dse.yaml); the default setting is five minutes. Expired keys are still available to decrypt data.
-
-
Optionally, force a refresh of the DSE key cache by performing a rolling restart.
