Changing master keys and re-enciphering secure keys

Your security policies might require that a new master key must be generated on the cryptographic coprocessors in certain time intervals. Hereafter, you need to re-encipher all the secure keys that have been generated with the current master key. If a new master key must be used to re-encipher the secure key, the re-enciphering of the applicable secure keys depends on where these are stored: either in a secure key repository, or as a volume key in a LUKS2 header, or just in a file in the file system.

The information presented in this topic is valid for both CCA and EP11 master keys. How to set an EP11 master key is outlined in the EP11 documentation: Exploiting Enterprise PKCS #11 using openCryptoki. How to change a CCA master key is documented in How to set an AES master key.

For security and ease of use, always store your secure keys in a secure key repository. To manage a required change of the master key, you can then use the zkey utility to perform the required re-encryption.

If the secure keys are stored as volume keys in the LUKS2 header of your volume, you can use the zkey-cryptsetup utility to perform the re-encryption.

Also, you might have saved your secure key in a file. In this case, too, you can use the zkey utility to perform the re-encryption.