Encryption Key Rotation
  • 13 Jun 2023
  • 2 Minutes to read
  • Dark
    Light

Encryption Key Rotation

  • Dark
    Light

Article summary

Feature
Introduced in Version6.8.64500
Last Modified in Version8.10.
LocationSystem > Encryption

Overview

In an effort to support PCI and SOC compliance, data stored within Decisions can encrypted using a rotating encryption key. This prevents data from being compromised if a key is lost or stolen. 


Accessing Key Rotation

To view the Key Rotation History, navigate to System > Administration > Encryption. The Key Rotation dashboard will be appear, displaying the rotation history.



What is unaffected/unchanged by Key Rotation?

Cached data will not be affected by rotating Encryption Keys. 

In addition, data that cannot be updated/decrypted during this process will:

  • Become a task assigned to the admin group for review.
  • Become recorded in a encryption_key_change_issue table within the Decisions database with the following columns:
    • Source datatype Table 
    • Source datatype ID
    • Field Name
    • Data
    • Date Time
    • Current Key

Changing Keys

Upgrade Data Encryption
In versions prior to 6.4, all data in the database must be upgraded to support key rotation. This process can be initialized using the Start Upgrade to Support Encryption action. Data cannot be encrypted until this action has been completed.

In order to start rotating encryption keys: 

  1. Select the Start Encryption Key Rotation action on the Key Rotation dashboard.
  2. A popup will appear. Confirm that the key will be rotated.


If the rotation was successful then:

  • The Rotation Status is set to Complete
  • Old keys.dat is moved to archive/Keys.dat.MMddYYYY folder within the Decisions folder tree.
  • NewKeys.dat becomes the new keys.dat file
Rotating keys for clustered environments
For clustered environments, the updated encryption keys will be sent to other nodes within the cluster. The action will only be needed to be started on the environment marked as the Job Server. 

For clustered environments, the updated encryption keys will be sent to other nodes within the cluster.


If the encryption is unsuccessful, then the following will occur

  • The status message on the Keys dashboard will be updated to Rotation Not Available: Encryption Issues Exist.
  • The Encryption Issues Report will be updated, displaying the cause for failure.
  • All issues must be resolved in order for Key rotation to continue.

Dashboards

The following section lists the different dashboards and reports available under System > Encryption Folder

FeatureDescriptionScreenshot
Key RotationThe main dashboard displayed when navigating to Encryption > Key Rotation. Displays a list of activities involving Key rotation.
KeysA Report that displays the list of active encryption keys within Decisions
Encryption IssuesA Report detailing a list of encryption issues that are preventing encryption keys from being rotated.
Issue Resolution HistoryA report detailing what actions were taken to resolve issues that had appeared when attempting to encrypt keys for the environment.

Status

The following section lists common status messages for the encryption process.

StatusDescription
Key Rotation is AvailableThis status means that key rotation is available, and can be run.  We recommend that this is done during a maintenance window.
Rotation Not Available: Encryption Issues Exist

There are issues with encrypted data, or a previous key rotation appears to be in progress. This will prevent the encryption keys from being rotated until all issues are resolved.

CompleteThe encryption key has been successfully rotated. No further actions are necessary.



Was this article helpful?