About
Virtru Private Keystore (for Virtru Solutions) administrators can install additional key pairs and rotate the active key pair, which starts an automatic process resulting in Virtru’s systems working with your organization’s CKS to decrypt each encryption key for your Virtru-secured data with the previously active private key and immediately re-encrypt it with the newly activated public key.
Organizations may want to rotate their Virtru Private Keystore key pairs:
- Upon a security incident
- Following security best practices
Jump To
Prerequisites
Supported Modes: File-based keys
CKS administrator must:
- Log on to your CKS server, and generate a new public/private key pair
- Go to your /var/virtru/cks/keys/ directory
- Add new keys to /var/virtru/cks/keys/ by following the script below:
openssl genpkey -algorithm RSA -out rsa002.pem -pkeyopt rsa_keygen_bits:2048
openssl rsa -pubout -in rsa002.pem -out rsa002.pub
chmod 644 rsa002.pem
Note
This command generates a key pair following the name and number formatting similar to “rsa002, rsa003, etc”. All files must be named following the format below:
- rsa###.pub
- rsa###.pem
The number formatting on the files must match for both the public and private key-pair.
- If running your CKS environment in High Availability (HA), you must also copy the new key pair generated onto each additional instance. They also must be placed in the same directory with the same file name.
- Go to your /var/virtru/cks/keys/ directory in each of your additional CKS instances
- Copy the new keys to: /var/virtru/keys/ following the same naming and number formatting as your other CKS instances
Firewall Requirement:
- /bulk-rewrap endpoint must be accessible to Virtru services
Rotate Keys
Key rotation is automatic and requires no user intervention once initiate.
Steps:
- Navigate to the CKS area of the Virtru Control Center
- All available keys will show
- Verify the appropriate key pair exists
- Label as needed
- Once the appropriate key has been obtained
- Click Activate to initiate a key rotation
- A verification modal will pop up to ensure the desired action is accurate
Deny read access to a policy
During a security incident, this checkbox will ensure the possibly compromised policies are inaccessible until key rotation has been completed. Any previous keys that you rotate away from while enabling the "deny read access" checkbox will be labeled as "Compromised" in the CKS status page in the Control Center.
-
Once processing starts, status is displayed on the CKS page
Troubleshooting
Problem |
Possible Cause |
There is no CKS page in the Virtru Control Center. |
The page is restricted to super admins of organizations that already have a Virtru CKS. Please contact Virtru Support or your Customer Success Manager to enable this feature. |
I don’t see my new public key in the Virtru Control Center. |
One or more of your CKS instances is missing the new key pair. |
I activated a new public key, but the rotation status shows that it is progressing very slowly. |
Processing is dependent on multiple factors, including the number of policies your organization has, the number of CKS instances your organization is running, and the HTTPS request latency between Virtru’s systems and your CKS instances. |
The Control Center shows me an error message about a CKS not having the newly activated key pair. |
One of your CKS instances is missing the new key pair. |