Rekey ciphertext with Key Exchange
Resource Exchange supports rekeying of ciphertext on the target instance that was encrypted with keys from the source. Rekey activity is tracked in the key life-cycle.
Overview
Administrators who use KMF for Field Encryption can use Key Exchange to rekey cryptographic keys between production instances when performing data cloning. An active key must first be available on the target instance for rekey, as rekey requires an active key. An encryption job is automatically created and run by the system to rotate and rekey the source key and re-encrypt the ciphertext.
Use Key Exchange to do the following:
- Set an expiration time frame for rekey.
If the request has expired, then the request is rejected and the key is deleted.
- Automate rekeying ciphertext that was encrypted with keys from source instances.
A new cloned crypto key is used to re-encrypt ciphertext on the target instance.
- The Rekey purpose is set up during the cloning process and is automated as part of the clone.
- Rekey activity is tracked on the Modules Key tab of the cryptographic module. Access the Key life cycle state and Key version for key activity. See Rotate keys for additional information.
Configure a Key Exchange and select the Enable Rekeying After Key Imported check box for activation. See Configure Key Exchange for details.
