ECS supports rotation of keys, a practice of changing keys to limit the amount of data that is protected by any given key to support industry standard practices. It can be performed on demand both through API and user interface and is designed to minimize the risk from compromised keys.
- When a rotation task is initiated, it will rotate master key in EKM or in ECS (if native) and rotation key in ECS.
- When the keys are rotated, RotationKeyReWrapTaskScanner and NamespaceRewrapTaskScanner will also start.
- NamespaceRewrapTask will trigger rewrapping of all the namespaces on the system. Rewrapping the namespace means protecting the namespace key using the virtual master key.
- RotationKeyReWrapTask protects all existing rotation keys with the new virtual master key.
- In case of EKM, there will be a separate EKMBackgroundScanner that will look at old master keys not in use and deactivate those keys in EKM. When keys are deactivated, the customer can delete those keys externally on EKM.
When EKM cluster activation or rotate keys are initiated via API or UI, the following flow of events occurs via EKMClusterActivationScanner, RotationTaskScanner, RotationKeyRewrapScanner and NamespaceRewrapScanner as shown in Figure 5.
Figure 5. Cluster activation state
The system performs the following process:
- Creates a master key in EKM (For native rotate keys, it creates a master key in ECS.)
- Creates a rotation key in ECS
- Updates ActiveMasterKeyRecord to point to a new MasterKeyRecord created.
- Updates ActiveRotationKeyRecord to point to a new RotationKey Record
- Initiates RotationKeyReWrapTask and NamespaceRewrapTask.
- RotationKeyReWrapTask protects all existing rotation keys with a new virtual master key (derived from a Master Key and RT Data Encryption Key).
- NamespaceRewrapTask will trigger rewrapping of all the namespaces on the system. Rewrapping the namespace means protecting the Namespace Key using the virtual master key.
- In case of Master Key creation failure, there will be a maximum of three retries which will pick up the state it failed.
- Failures in other states will lead to the TRANSIENT_ERROR state, which is expected to complete in retries. When in TRANSIENT_ERROR, state machine will start from the last saved state. For example, if the last saved state is MASTERKEYACTIVATED and in TRANSIENT_ERROR then the next state executed will be KEYACTIVATED
Note: Switching from EKM to Internal ECS Key Management requires support help via dtquery.