Question

Encryption Key/Certificates updates (Encryption module)

0

Hii All, We’re planning to use Encryption module to encrypt and decrypt sensitive data (Text based and documents). As security requirement, we should update/rotate keys on regular basis (each 1year for instance). Is there any safer way to do that without a risk for loosing old encrypted content (old key). Thanks!

asked 2022-11-29

EL OUAFI Omar

2 answers

Marco Spoel · Answer 1 · 2022-12-11

Hi EL OUAFI Omar,

The way to do that is to implement envelope encryption.

Here is a link to that concept:

https://cloud.ibm.com/docs/key-protect?topic=key-protect-envelope-encryption

But your old data needs to be reprocessed for envelope encryption too. Depending on the data volume, I would choose to decrypt/encrypt everything once a year or implement envelope encryption.

If you consider the first one, create data deletion routines for data that is not required in processes and reports anymore (clean up old data).

Go Make It

Javier Landa · Answer 2 · 2022-11-30

Hi, is it a requirement to change the key from the already encrypted data?

If so i don’t see another option than to decrypt all the data with the old key and encrypt it again with the new key.

Would it not be an option to have one key for each year for example?