Customer Key Server (CKS) administrators can install additional key pairs and rotate the active key pair, which starts an automatic process resulting in Virtru’s systems working with your organization’s CKS to decrypt each encryption key for your Virtru-secured data with the previously active private key and immediately re-encrypt it with the newly activated public key.
Organizations may want to rotate their CKS key pairs:
- Upon a security incident
- Following security best practices
Supported Modes: File-based keys
CKS administrator must:
- Generate a new public/private key pair
- Add new keys to: /var/virtru/cks/keys/
openssl genpkey -algorithm RSA -out rsa002.pem -pkeyopt rsa_keygen_bits:2048
openssl rsa -pubout -in rsa002.pem -out rsa002.pub
chmod 644 rsa002.pem
This command generates a key pair named similar to “rsa002”. All files must be named similar to:
With the number on the files matching for the public and private key-pair.
- Copy the new key pair to each instance
- Add new keys to: /var/virtru/keys/
- /bulk-rewrap endpoint must be accessible to Virtru services
Key rotation is automatic and requires no user intervention once initiate.
- Navigate to the CKS area of the Virtru Control Center
- All available keys will show
- Verify the appropriate key pair exists
- Label as needed
- Once the appropriate key has been obtained
- Click Activate to initiate a key rotation
- A verification modal will pop up to ensure the desired action is accurate
Deny read access to a policy
During a security incident, this checkbox will ensure the possibly compromised policies are inaccessible until key rotation has been completed.
Once processing starts, status is displayed on the CKS page
There is no CKS page in the Virtru Control Center.
The page is restricted to super admins of organizations that already have a Virtru CKS.
I don’t see my new public key in the Virtru Control Center.
One or more of your CKS instances is missing the new key pair.
I activated a new public key, but the rotation status shows that it is progressing very slowly.
Processing is dependent on multiple factors, including the number of policies your organization has, the number of CKS instances your organization is running, and the HTTPS request latency between Virtru’s systems and your CKS instances.
The Control Center shows me an error message about a CKS not having the newly activated key pair.
One of your CKS instances is missing the new key pair.