Rekeying the encryption recovery key

The encryption recovery key for the system can be changed by performing a rekey operation. During the rekey process, the system generates a new encryption recovery key and the existing recovery key becomes obsolete.

Consider rekeying the encryption recovery key periodically according to your organization’s security policy, or when you think the existing recovery key has been compromised or is known by an unauthorized party.

Only a single encryption method can be rekeyed at once. If you have multiple methods of encryption configured on your system, ensure that the current rekey operation is completed before starting another rekey operation.

Ensure that the existing recovery key is available, as it needs to be supplied to the system during the rekey process. The recovery key cannot be rekeyed unless the current recovery key is known and available.
Note: If you have lost the recovery key, you must disable and then re-enable the recovery key. For more information, see Disabling the encryption recovery key and Enabling the encryption recovery key.

The new encryption recovery key for the system is sensitive, so make sure that the new recovery key is stored securely in a safe location. It is suggested that the rekey procedure is used in a private location, where your browser or terminal window cannot be seen by others.

Using the management GUI

The system does not currently support rekeying the encryption recovery key by using the management GUI. Refer to the instructions described in "Using the command-line interface" section.

Using the command-line interface

Follow these steps to rekey the encryption recovery key:

  1. The current recovery key must be supplied to the system within 30 minutes of starting a rekey. To validate the current recovery key, enter the following command:
    chencryption -recoverykey validate
Enter the recovery key for the system:
    An interactive prompt is displayed on the screen. When the correct recovery key has been entered, a success message appears.
  2. To start the rekey process, enter the following command to prepare a new recovery key:
    chencryption -recoverykey newkey -key prepare
    The new recovery key will be displayed on screen.
    Note: The recovery key is sensitive and must be stored in a safe location.

    The system creates an identifier for the new recovery key, which can be used as a label when storing the key in a safe location (for example, in a password manager).

  3. To confirm that the recovery key has been stored correctly, the system requires the recovery key to be confirmed. To confirm the recovery key, run the following command and enter the new recovery key when prompted:
    chencryption -recoverykey newkey -key confirm
Enter the new recovery key for the system:
    A confirmation message is displayed when the recovery key has been entered correctly.
  4. Commit the recovery key by running the following command:
    chencryption -recoverykey newkey -key commit
    For more information, see chencryption command.

    The recovery key has been rekeyed successfully when the recovery_key_name field shows the name of the new recovery key, and the recovery_key_rekey_name field will be blank. For more information, see lsencryption command.

Note: A rekey operation needs to be performed after the upgrade from 8.7.0 to a later software version so that rekey time can be updated in GUI or CLI.