Rotating Runtime CredHub Encryption Keys

Page last updated:

This topic discusses how to rotate CredHub encryption keys for Pivotal Application Service (PAS). Encryption keys are values that CredHub uses to obscure stored secrets. When an operator marks an additional key as primary, CredHub can rotate in that additional key as the encryption key.

During this credential rotation process, the initial encryption key is used to access the hidden value, That value is then stored again by the additional encryption key.

Warning: If you remove an encryption key and click Apply Changes before the rotation completes, the deployment breaks. If this happens, you can no longer access data stored with the deleted key.

Rotate PAS Encryption Keys

To rotate PAS encryption keys:

  1. Navigate to the Ops Manager Installation Dashboard.

  2. Click the PAS tile.

  3. Select CredHub.

  4. In the Encryption Keys section, click Add.

  5. For Name, enter the name of your new encryption key.

  6. For Key, enter your new encryption key.

  7. Select the Primary check box.

  8. Click Save.

  9. Navigate to the Ops Manager Installation Dashboard.

  10. Click Review Pending Changes, then Apply Changes.

Verify PAS Encryption Key Rotation

To verify that the rotation completes:

  1. Click the PAS tile.

  2. Select the Status tab.

  3. Within the CredHub job, locate Index 0. The 'Status' table shows two 'CredHub' rows. One of the rows has an 'Index' with the value of '0'.

  4. Within the Logs column, click the correlating download icon.

  5. Select the Logs tab.

  6. Click the corresponding link to the retrieve the downloaded log file.

  7. Unzip the log file.

  8. Unzip the larger of the two nested directories.

  9. Ops Manager generates a compressed file for each CredHub VM that exists on your deployment. Unzip each of these compressed files.

  10. Open the credhub directory.

  11. Open the credhub.log file. If the PAS credential rotation completed successfully, the CredHub log contains the following string: Successfully rotated NUMBER-OF-CREDENTIALS items

  12. Remove the old encryption key.

  13. Click the trashcan icon that corresponds to the old encryption key.

  14. Click Save.

  15. Navigate to the Ops Manager Installation Dashboard.

  16. Click Review Pending Changes, then Apply Changes.