Key Rotation

Key rotation in PostgreSQL involves updating the encryption key used to secure data. When a key rotation occurs, it's important to manage sessions and data encryption carefully to ensure security and consistency.

After key rotation, any open sessions should be closed. This ensures that the old key is no longer in use. Once the sessions are closed, open a new session and use the get_key() function to fetch the latest key version. This new key version will be used to encrypt any new data.

It's important to note that after key rotation, older data remains encrypted with the previous key version. Only new data will be encrypted with the latest key version. If you need to re-encrypt older data with the new key, you must first decrypt the data using the old key and then encrypt it again using the new key version.

Scheduled Key Rotation

You can set up scheduled key rotation either on the Key Set or on the CloudKey.

Scheduled rotation on the Key Set: 

  1. Log into the Cryptographic Security Platform Vault for Databases webGUI.

  2. In the top menu bar, click CloudKeys.

  3. Select the Key Sets tab, and then select the specific Key Set on which you want to apply scheduled key rotation.

  4. Select the Details tab and update the Default Rotation Schedule.

    If there are existing CloudKeys in the Key Set, you can update the rotation schedule of the CloudKeys to align with your new Key Set rotation schedule by checking the Apply to all CloudKeys checkbox.

  5. Click Save.

Scheduled rotation on the CloudKey: 

  1. Log into the Cryptographic Security Platform Vault for Databases webGUI.

  2. In the top menu bar, click CloudKeys.

  3. Select the CloudKeys tab, and then select the appropriate Key Set.

  4. Select the specific CloudKey on which you want to apply scheduled key rotation.

  5. Select the Details tab and update the Rotation Schedule.

  6. Click Save.

Manually Rotating a CloudKey

  1. Log into the Cryptographic Security Platform Vault for Databases webGUI.

  2. In the top menu bar, click CloudKeys.

  3. Select the CloudKeys tab, and then select the appropriate Key Set.

  4. Select the specific CloudKey on which you want to apply scheduled key rotation.

  5. Select the Details tab and then click Rotate Now in the Rotation Schedule row.

  6. Click Save.