Skip to main content
Welcome to Virtru's support portal. As we work to make this page more accessible to screen readers, please contact us at support@virtru.com for technical support.

CKS Reference - Key Rotation

Chad Sigler
  • Updated

About

Customer Key Server (CKS) administrators can install additional key pairs and rotate the active key pair, which starts an automatic process resulting in Virtru’s systems working with your organization’s CKS to decrypt each encryption key for your Virtru-secured data with the previously active private key and immediately re-encrypt it with the newly activated public key.

Organizations may want to rotate their CKS key pairs:

  • Upon a security incident
  • Following security best practices

Jump To

Prerequisites

Supported Modes: File-based keys

CKS administrator must:

  • Generate a new public/private key pair
    • Add new keys to: /var/virtru/cks/keys/
openssl genpkey -algorithm RSA -out rsa002.pem -pkeyopt rsa_keygen_bits:2048
openssl rsa -pubout -in rsa002.pem -out rsa002.pub
chmod 644 rsa002.pem

 

Note

This command generates a key pair named similar to “rsa002”. All files must be named similar to:

  • rsa###.pub
  • rsa###.pem 

With the number on the files matching for the public and private key-pair.

  • Copy the new key pair to each instance
    • Add new keys to: /var/virtru/keys/

Firewall Requirement:

Rotate Keys

Key rotation is automatic and requires no user intervention once initiate.

Steps:

CKS keys list

  • Once the appropriate key has been obtained
    • Click Activate to initiate a key rotation
  • A verification modal will pop up to ensure the desired action is accurate 

Rotation confirmation

Deny read access to a policy

During a security incident, this checkbox will ensure the possibly compromised policies are inaccessible until key rotation has been completed.

  • Once processing starts, status is displayed on the CKS page

Status bar

Troubleshooting

Problem

Possible Cause

There is no CKS page in the Virtru Control Center.

The page is restricted to super admins of organizations that already have a Virtru CKS.

I don’t see my new public key in the Virtru Control Center.

One or more of your CKS instances is missing the new key pair.

I activated a new public key, but the rotation status shows that it is progressing very slowly.

Processing is dependent on multiple factors, including the number of policies your organization has, the number of CKS instances your organization is running, and the HTTPS request latency between Virtru’s systems and your CKS instances.

The Control Center shows me an error message about a CKS not having the newly activated key pair.

One of your CKS instances is missing the new key pair.

 

Related articles