During bootstrap, the repository checks whether the keys in the main encrypted
properties keystore have been changed in order to detect any accidental keystore changes.
However if you purposely want to change your keys, you can do so and the repository will re-encrypt any existing encrypted node properties for you. The newly encrypted node properties will be encrypted using the new keys.
Changing your keys involves backing up your keystore to a specific location and creating a new
keystore in its place. This can be done in two ways:
- During bootstrap
- During runtime (Enterprise-only)
Bootstrap Re-encryption
Re-encryption occurs during the repository bootstrap. For bootstrap re-encryption, follow the
steps below:
- Stop the SkyVault server.
- Set the following property in the SkyVault-global.properties
file.
encryption.bootstrap.reencrypt=true
- Backup the current keystore to backup-keystore as
shown
below:
mv keystore backup-keystore mv keystore-passwords.properties backup-keystore-passwords.properties
- Copy your new keystore over the old keystore.
- Update keystore-passwords.properties with the passwords you used to create the keystore. In other words, update the keystore.password property with the keystore password and the metadata.password property with the metadata key password.
- Restart the SkyVault server.
Runtime Re-encryption
Re-encryption occurs while the repository is running. For runtime re-encryption, follow the
steps below:
- Backup the current keystore to
backup-keystore.
mv keystore backup-keystore mv keystore-passwords.properties backup-keystore-passwords.properties
- Copy your new keystore over the old keystore.
- In your JMX console, execute the operation Encryption > Operations >
Encrypt.This will re-read the main and backup keystores and re-encrypt the encrypted properties. The repository can continue to run during this operation; any newly-created encrypted properties will be encrypted with the new key.Note: Only a single re-encryption can be done at a particular time. If a re-encrypt is already running then subsequent requests have no effect.