Rollover Encryption Keys

For background on Privacera encryption keys, see Key Management in Privacera Encryption.

Privacera uses Apache Ranger to encrypt data. Encryption keys can be rotated from the Apache Ranger UI or using the REST API /keys/key. If a key was used to encrypt several terabytes of data, it would be computationally intensive and time-consuming to rotate the keys. During the key rotation process, which first decrypts the data using existing keys and re-encrypts the data using the new keys, your data is not available.

To overcome this challenge, Privacera encrypts the Data Encryption Keys (DEKs), which are used to actually encrypt the data. A separate set of keys called Key Encryption Keys (KEKs) are used to encrypt the DEKs. The term “rollover” means rotating the KEKs instead of the DEKs. Even if you have ten thousand keys, the process to rotate the KEKs can be completed extremely fast.

To rollover keys via the Apache Ranger UI:

  1. Login to Ranger at https://<your_privacera_hostname>:6080 using “keyadmin” credentials.
  2. Hover your cursor over the Encryption menu item at the top and select Key Manager.
  3. From the Select Service pulldown, select privacera_kms.

    The current key entries are displayed.

    <img src="../assets/key_list.png" />

  4. For the desired key, on the far right, click the pencil icon.

    <img src="../assets/key_rollover.png" />

  5. At the prompt, click OK rollover.

This calls the Ranger rollover Key APIs, which decrypt the DEKs that were encrypted using the previous key, creates a new key, and encrypts the DEKs using the newly generated key.


Last update: July 23, 2021