Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

CipherTrust Manager Administration

MKEK Rotation

search

Please Note:

MKEK Rotation

The CipherTrust Manager allows you to rotate the Master Key Encryption Key (MKEK). Key rotation protects the key material from malicious interceptions. For CipherTrust Managers using a Hardware Security Module (HSM) as a root of trust, you can also rotate the Root of Trust (RoT) key which is above the MKEK on the key hierarchy.

Only Admin in the root domain is allowed to use MKEK APIs.

Managing MKEK using ksctl

The following operations can be performed:

  • Rotate MKEK

  • Get details of MKEK

  • List all MKEKs

Rotating MKEK

The rotation of a MKEK generates a new MKEK in a clustered as well as in a non-clustered setup. The secrets also get migrated to the new MKEK. It allows you to provide a custom name to the newly generated MKEK.
To rotate an MKEK, run:

Syntax


ksctl mkeks rotate --name <CustomName>

Example Request


ksctl  mkeks rotate --name test

Example Response


{
        "id": "9fb3264f-33ad-4f2b-ba5f-b3e841543bd9",
        "name": "test",
        "is_default": true,
        "created_at": "2021-03-09T07:21:06.541873461Z",
        "sealer_name": "none"
}

The sealer_name parameter value signifies whether the HSM is configured for the given instance of CipherTrust Manager. Values are:
none - HSM is not configured.
rapido - HSM is configured.

Getting Details of MKEK

To get details of an MKEK, run:

Syntax


ksctl mkeks get -i <mkek_id>

Example Request


ksctl  mkeks get --id 9fb3264f-33ad-4f2b-ba5f-b3e841543bd9

Example Response


{
        "id": "9fb3264f-33ad-4f2b-ba5f-b3e841543bd9",
        "name": "test",
        "is_default": true,
        "created_at": "2021-03-09T07:21:06.541873461Z",
        "sealer_name": "none"
}

Getting List of MKEKs

To get a list of MKEKs, run the following command. By default it returns only one MKEK on the system.

Syntax


ksctl mkeks list

Example Request


ksctl mkeks list

Example Response


{
        "total": 1,
        "info": [
                {
                        "id": "658027ff-9780-4e9c-9041-cec99516a162",
                        "name": "mkek_sample_name",
                        "is_default": true,
                        "created_at": "2021-03-09T07:16:55.864674685Z",
                        "sealer_name": "none"
                }
        ]
}

If you fetch the list of MKEKs during rotation process, it returns more than one MKEK on the system. To get a list of all MKEKs, run:

Syntax


ksctl  mkeks list --all

Example Request


ksctl  mkeks list --all

Example Response


{
        "total": 2,
        "info": [
                {
                        "id": "632ac9aa-f927-4704-b9af-859b5e42fc8b",
                        "name": "632ac9aa-f927-4704-b9af-859b5e42fc8b",
                        "created_at": "2021-03-08T10:40:34.038989394Z",
                        "sealer_name": "none"
                },
                {
                        "id": "658027ff-9780-4e9c-9041-cec99516a162",
                        "name": "mkek_sample_name",
                        "is_default": true,
                        "created_at": "2021-03-09T07:16:55.864674685Z",
                        "sealer_name": "none"
                }
        ]
}

In the above example response, you can see the two (2) MKEKs being listed. The MKEK with "is_default": true parameter is the newly generated default MKEK. The other MKEK is the MKEK before rotation, which stays temporarily until the rotation process is complete.