Quantcast
Channel: Support Portal
Viewing all articles
Browse latest Browse all 1872

Re : Replace AES encryption key

January 5, 2016, 8:41 am
$
0
0
Yes it's possible prx there is a dedicated chapter on the link below ;)

https://www.manageengine.com/products/passwordmanagerpro/help/installation.html#managing_encryption_key

Rotating Encryption Key

(Feature available only in Enterprise Edition)

Though the encryption key is being securely managed outside of PMP, periodically changing the encryption key is one of the best practices. PMP provides an easy option to automatically rotate the encryption key.

How the key rotation process work?

PMP will look for the current encryption key present in pmp_key.key in the path specified in manage_key.conf present under <PMP_HOME>/conf folder. Only if it is present in the specified path, the rotation process will continue. Before rotating the encryption key, PMP will take a copy of the entire database. This is to avoid data loss, if anything goes wrong with the rotation process.

During the key rotation process, all passwords and sensitive data will be decrypted first using the current encryption key and subsequently encrypted with the new key. Later, the new key will be written in the pmp_key.key file present in the location as specified in the manage_key.conf file. If there occurs any error while writing the key, rotation process will not continue. At the end of successful rotation process, PMP will write the old encryption key in the same file that contains the new key.

To rotate the encryption key (if you are NOT using High Availability)

  • The current encryption key (pmp_key.key file) should be present in the location as specified in the manage_key.conf file. Also, ensure that PMP gets read/write permission when accessing the pmp_key.key file.
  • PMP server should be stopped
  • Open a command prompt and navigate to <PMP-Installation-Folder>/bin directory and execute RotateKey.bat (in Windows) or sh RotateKey.sh (in Linux)
  • Based on the number of passwords managed and other parameters, the rotation process will take a few minutes to complete
  • Once you see the confirmation message about successful completion of the rotation process, you can start the PMP server.

To rotate the encryption key (if you are using High Availability setup)

  • Go to Admin tab>>General>>High Availability in the web interface. Make sure high availability and replication status are alive.
  • The current encryption key (pmp_key.key file) should be present in the location as specified in the manage_key.conf file. Also, ensure that PMP gets read/write permission when accessing the pmp_key.key file.
  • PMP Primary server should be stopped and make sure PMP Secondary server is running.
  • Open a command prompt in PMP Primary installation and navigate to /bin directory and execute RotateKey.bat (in Windows) or sh RotateKey.sh (in Linux)
  • Based on the number of passwords managed and other parameters, the rotation process will take a few minutes to complete. You will see confirmation message upon successful completion of the rotation process
  • ou need to copy the new encryption key from Primary installation and put it in the location from where the standby looks for pmp_key.key file as specified in the manage_key.conf file. (That means, you need to copy the pmp_key.key file in Primary and put it in the location as specified in the manage_key.conf file). Then you can start primary and standby servers.



Search
Viewing all articles
Browse latest Browse all 1872
Search