For increased security, you can rotate your cryptographic keys on a pre-determined schedule. Key rotation is when you retire an encryption key and replace that old key by generating a new cryptographic key.

Before you begin

Role required: sn_kmf.cryptographic_manager

About this task

Encryption modules, unlike encryption contexts, support a rekey of records for re-encryption with a new key. The following demonstrates how to perform a key rotation operation manually on a cryptographic module.

Procedure

  1. Navigate to Key Management > Cryptographic Modules > All.
  2. Select the cryptographic module for key rotation.
  3. On the Module Keys tab, select the Active key.
    Figure 1. Select the active key
    Select the active key from the Module Keys tab.
    Lifecycle key form to click Rotate Key.
  4. Select Rotate Key.
    The key life-cycle state changes to "Deactivated." The Last rotated date, Deactivation date, and Key version fields update.
  5. Return to Cryptographic Module > Module Keys.
    Displays the Module Keys tab with the key lifecycle states updated based on active and deactivated keys.
    There’s an extra module key listed in the table. The newly rotated key becomes "Active" and the last key is "Deactivated."