How-To Guides
Configuration Guides
Changing Master Key
5 min
this document describes how to update the master key, how to change it for the scenario on the file system, how the migration process works in the background, and what tool is used in this procedure note that this procedure will be applicable only after release 3 0 0 how it works the pam admin/key officer updates the master key using a java based tool named dek rotator jar this tool does two things it takes the old and the new master keys as input from pam admin/key officer and changes the old masker key with the new one in the file system using the new master key, the tool re encrypts the dek keys, which are encrypted under the old master key pam admin/key officer runs dek rotator jar with a pamuser, enters the current master key, and then the desired value for the new master key after the current master key is verified and the new key is entered, they are stored together in the file system encrypted with a hardcoded key and iv until dek migration is completed dek migration starts dek keys located under the t dek table are migrated from the old master key to the new master key the data previously encrypted with the old master key is also migrated in the background during the dek migration after dek migration is completed successfully, the dek rotator jar tool verifies that the migration went smoothly the tool deletes the old master key from the file system only after the dek migration is verified to prevent any data loss in case dek migration fails the tool also checks the newly encrypted dek keysâ functionality to identify any possible corruption \[dek]old master key â \[dek]new master key find the master key update process flow in the workflow section below how to update the master key to update the master key, the pam admin/key officer should follow the steps below prerequisite to update the master key, pam admin/key officer must already know the current master as the process requires entering the current key before typing the new one if the current master key does not match the stored master key, the update will not succeed the dek rotator jar tool must be run with a pamuser stop the following services before starting the update process systemctl stop netright tomcat systemctl stop mobilet systemctl stop nssoapp systemctl stop guacd systemctl stop http prox systemctl stop sftp prox systemctl stop sqlprox systemctl stop superset systemctl stop sc watchdog systemctl stop sc diagnostics systemctl stop kron tacacs systemctl stop auth service run dek rotator jar with a pamuser as follows you must identify the path of the netright config file when running the tool java jar dek rotator jar \<netright config path> enter the current master key after the current key is verified, enter the new master key dek migration starts after the migration is completed successfully, you can start the services that you stopped before systemctl start netright tomcat systemctl start mobilet systemctl start start nssoapp systemctl start guacd systemctl start http prox systemctl start sftp prox systemctl start sqlprox systemctl start superset systemctl start sc watchdog systemctl start sc diagnostics systemctl start kron tacacs systemctl start auth service workflow