Understanding Master Key Rotation
The master key is a unique cryptographic key which is the heart and soul of every operation you perform with the Porticor appliance.
It must always be kept safe, and we published a set of recommendations on how to handle it securely. But even when following the very best practices, there are situations when you might wish to replace the key. Some possible reasons for replacing the master key (which security veterans often refer to as “rotating” the key) include:
- A person who had access to the key has left the organization.
- You suspect that the master key may have been compromised.
- Your organization's internal procedures call for periodic key rotation.
Every new protected item, file system and S3 object you add to the appliance is secured by a newly generated and specific key, which is in turn protected by your master key. Thus, when we perform a master key rotation, there is no need to go over every encrypted byte of your data and re-encrypt it. Instead, we re-encrypt the specific keys used in those operations with the new master key.
Upon issuing a request for master key rotation you are required to supply your old master key (for verification purposes), and approve the newly generated master key. Once the old key is validated, the appliance will transform the keys by performing encryption and cryptographic blinding. This transformed result is then sent to the central Porticor key management application (PVKM). Your master keys, both old and new, are never revealed to Porticor.
PVKM uses the homomorphic key management technology to re-encrypt each of the specific keys that are used in your project while being unable to access them directly. If you have several appliances under your project, the new master key is automatically propagated to all of them via the established chain of trust.
The whole rotation operation is usually complete within a couple of seconds, unless you have tens of thousands of protected items or S3 objects, but even then it should not take much longer.
It is important to note that the rotation operation is atomic, which means that an error during the process will not leave you hanging with half of your data using the old master key, and another half using the new one. In case of a failure the state of the appliance is reverted to the exact pre-operation state.
The above was about rotating the master key. If ever you need to rotate a specific key (for example, one that is used for an S3 object) simply copy the object aside, and a new key will be generated for it.