Rotating Runtime CredHub Encryption Keys

Page last updated:

This topic discusses how to rotate runtime CredHub encryption keys. Encryption keys are values that CredHub uses to obscure stored secrets. When an operator marks an additional key as primary, CredHub can rotate in that additional key as the encryption key.

During this credential rotation process, the initial encryption key is used to access the hidden value, That value is then stored again by the additional encryption key.

WARNING: If you remove an encryption key and click Apply Changes before the rotation completes, the deployment breaks. If this happens, you can no longer access data stored with the deleted key.

Rotate PAS Encryption Keys

To rotate PAS encryption keys, do the following:

  1. Navigate to the Ops Manager Installation Dashboard.

  2. Click the Pivotal Application Service tile.

  3. Select the CredHub tab.

  4. In the Encryption Keys section, click Add. Add key

  5. For Name, enter the name of your new encryption key.

  6. For Key, enter your new encryption key.

  7. Select the Primary check box.

  8. Click Save.

  9. Navigate to the Ops Manager Installation Dashboard.

  10. Click Apply Changes.

Verify PAS Encryption Key Rotation

To verify that the rotation completes, do the following:

  1. Click the Pivotal Application Service tile.

  2. Select the Status tab.

  3. Within the CredHub job, locate Index 0. Logs list

  4. Within the Logs column, click the correlating download icon.

  5. Select the Logs tab.

  6. Click the corresponding link to the retrieve the downloaded log file.

  7. Unzip the log file.

  8. Unzip the larger of the two nested directories.

  9. Ops Manager generates a compressed file for each CredHub VM that exists on your deployment. Unzip each of these compressed files.

  10. Open the credhub directory.

  11. Open the credhub.log file. If the PAS credential rotation completed successfully, the CredHub log contains the following string: Successfully rotated NUMBER-OF-CREDENTIALS items

  12. Remove the old encryption key.

  13. Click the trashcan icon that corresponds to the old encryption key.

  14. Click Save.

  15. Navigate to the Ops Manager Installation Dashboard.

  16. Click Apply Changes.

Create a pull request or raise an issue on the source for this page in GitHub