Rotating the keyvault master encryption key

To protect against compromise, rotate the keyvault master encryption key at regular intervals. When you rotate the keyvault master encryption key, all of the keys in the keyvault are reencrypted with the new master key, without any operational impact on the application.

About this task

After you rotate the keyvault master encryption key, check the logs to ensure that it ran successfully.

Procedure

  1. Log in to the Red Hat OpenShift® Container Platform as OpenShift Administrator.
  2. Click Workloads > Secrets and select your project, for example cp4s.
  3. Use the filter to search for the keyvault-rotation-key secret, and select the secret.
  4. To regenerate the key, run the following command from the OpenShift cluster: 
    openssl enc -aes-256-cbc -k isc-cases-application -P -md sha1 | grep key= | sed -e "s/^key=//;" | base64
  5. Copy the output of the previous command.
  6. For the keyvault-rotation-key, paste the value for the keyvault master encryption key from the output that you copied in the previous step, as shown in the following example: 
     keyvault_master_key: 
"QjYzNjQ2MTIzMjMzNTdFODMyRkE3QjRFRkJGMDE0RDZGMDBFRjdGNDAyQkU0MDIzODdGOTE0OTREOTJBRTBDOAo"
  7. Click Save.
  8. Allow some time for the job to complete and check the log file to confirm that the command ran successfully. The logs are on the encryption rotation pod created by the operator. You can view the list of pods and status by entering: 
    oc get pods | grep cases-encryption-rotate
    You can then view the logs with the following command:
    oc logs <pod_name>
    where pod_name is the name of any of the pods that are returned by oc get pods | grep cases-encryption-rotate.
    The following sample shows a successful keyvault master encryption rotation in a log file:
    [main] INFO com.co3.tools.co3util.command.KeyVaultReEncryptCommand - Keyvault re-encryption started at 2023-05-19 08:03:12+0000.
[main] INFO com.co3.tools.co3util.command.KeyVaultReEncryptCommand - Keyvault backup completed with date '2023-05-19 08:03:15.922+0000'.
[main] INFO com.co3.tools.co3util.command.KeyVaultReEncryptCommand - Re-encryption completed successfully at 2023-05-19 08:03:16+0000.
3 entries processed
3 entries re-encrypted