Encryption key rotation
Procedure to perform a key rotation.
About this task
You can optionally modify the existing encryption keys by performing a key rotation, for example if the existing keys expire or are no longer secure. Perform the following steps on the master domain manager and on each agent in the environment
Procedure
-
Generate a new key by running the following keytool
command:
./keytool -genseckey -alias new_alias_name -keyalg AES -keysize 256 -storepass encrypt_keystore_pwd_in_clear -storetype PKCS12 -keystore encrypt_keystore_file
For high-level information about keytool parameters, see Command Reference.
-
Change the localopts file as follows:
- Add the previous value of the encrypt label parameter to the decrypt label list parameter.
- Change the value of the encrypt label parameter to new_alias_name.
If the keystore does not exist, it is created. If it exists, the new key is added to the keystore.