KMIP Rekey Process

Describes the rekey process for CLDB and DARE keys.

External keystores ensure that the keys are always securely backed up and replicated, and guaranteed never to be lost. You can never accidentally delete KMIP keys - only the administrator can set the state to DESTROYED, but the keys still remain in cryptographic storage. Therefore, the rekey procedure is used mainly for key rotation and in the unlikely event of a compromise.

Key Types

The data-fabric platform comprises two main keys:

  • Core Key: Encryption key used to encrypt the data-fabric CLDB and DARE keys
  • Common Key: The key used to derive keys for various core, ecosystem and SpyGlass components that are in turn used to encrypt the Java Cryptography Extension Keystore (JCEKS) and other sensitive files

Rekeying the Core or Common KEK

To rekey, see mrhsm rekey.