Encryption key rotation

Procedure to perform a key rotation.

About this task

You can optionally modify the existing encryption keys by performing a key rotation, for example if the existing keys expire or are no longer secure. Perform the following steps on the master domain manager and on each agent in the environment

Procedure

  1. Generate a new key by running the following keytool command:
    ./keytool -genseckey -alias new_alias_name -keyalg AES -keysize 256 
    -storepass encrypt_keystore_pwd_in_clear -storetype PKCS12 -keystore encrypt_keystore_file

    For high-level information about keytool parameters, see Command Reference.

  2. Change the localopts file as follows:
    1. Add the previous value of the encrypt label parameter to the decrypt label list parameter.
    2. Change the value of the encrypt label parameter to new_alias_name.
    For more information about the localopts file, see Setting local options.
    If the keystore does not exist, it is created. If it exists, the new key is added to the keystore.

Results

The current Symphony plan keeps using the previous key. To apply the new setting to the Symphony plan, run a JnextPlan command. The message boxes are encrypted immediately and the useropts file is encrypted as soon as you save the localopts file and launch a CLI command. Key product files are now encrypted with the new key.