Rotating PAS CredHub Encryption Keys

Page last updated:

This topic discusses rotating runtime CredHub encryption keys. Encryption keys are values that CredHub uses to obscure stored secrets. When an operator marks an additional key as primary, CredHub can rotate in that additional key as the encryption key.

During this credential rotation process, the initial encryption key is used to access the hidden value. That value is then stored again by the additional encryption key.

WARNING: If you remove an encryption key and click Apply Changes before the rotation completes, the deployment enters a broken state. In this state, you can no longer access data stored with the deleted key.

Rotate PAS encryption keys

Follow the steps below to rotate PAS encryption keys.

  1. Navigate to the Ops Manager Installation Dashboard.
  2. Click the Pivotal Application Service tile .
  3. Select the CredHub tab.
  4. In the Encryption Keys section, click Add. Add key

  5. For Name, enter the name of your new encryption key.

  6. For Key, enter your new encryption key.

  7. Select the Primary check box.

  8. Click Save.

  9. Navigate to the Ops Manager Installation Dashboard.

  10. Click Apply Changes.

Verify PAS encryption key rotation

Follow the steps below to verify that the rotation completes.

  1. Click the Pivotal Application Service tile.
  2. Select the Status tab.

  3. Within the CredHub job, locate Index 0. Logs list

  4. Within the Logs column, click the corresponding download icon.

  5. Select the Logs tab.

  6. Click the corresponding link to retrieve the downloaded log file.

  7. Unzip the log file.

  8. Unzip the larger of the two nested directories.

  9. Ops Manager generates a compressed file for each CredHub virtual machine that exists on your deployment. Unzip each of these compressed files.

  10. Open the credhub directory.

  11. Open the credhub.log file. If the PAS credential rotation completed successfully, the CredHub log contains the following string: Successfully rotated NUMBER-OF-CREDENTIALS items

  12. Remove the old encryption key.

  13. Click the trashcan icon that corresponds to the old encryption key.

  14. Click Save.

  15. Navigate to the Ops Manager Installation Dashboard.

  16. Click Apply Changes.

Create a pull request or raise an issue on the source for this page in GitHub