Replacing an Application’s Secret Key 

Use

You may want to occasionally replace an application’s or service’s secret key, for example, if you think it has been compromised. New data objects are then encrypted using the new secret key; existing objects are re-encrypted using the new key the next time they are accessed. You can also manually initiate the re-encryption of the data that is stored in the corresponding context.

The system generates a new key, but it does not delete the old one. Therefore, if the application stores and maintains its own data, it can decrypt any data that is still encrypted with the old key.

Prerequisites

·        The Key Storage and Secure Storage services are running.

Procedure

Using the Secure Storage service:

...

       1.      Select the tab page for the application type, services or webapplications.

Existing contexts and their keys appear in the left pane under the node Secret Key. The contexts and their encrypted data objects appear in the right pane under the node Objects.

       2.      Under Secret Key, expand the node for your desired context.

       3.      Select a key in the context and choose New Key.

       4.      The system generates a new key and adds it to the context.

The system does not delete the old key, it adds a new key to the context. Therefore, to identify which key is the newer one, the creation date and a sequence number are included in the key’s identifier.

       5.      To manually initiate the re-encryption of the context’s data, choose Reencrypt Objects.

The system re-encrypts the data for the context using the new key. If you do not perform this step, then the objects are re-encrypted the next time they are accessed by the application.