Requesting assistance on Intersystems Cache Managed Key Encryption
Requesting assistance on Intersystems Cache Managed Key Encryption.
We have configured the KMIP Server.
The KMIP server is an external HSM box. I was not able to find any info on Key Rotation and what type of encryption does it follow i.e. 1-tier approach or 2-tier approach.
Can someone please assist on the same?
Are you asking about the KMIP server and how it works? If so, I don't think this is the right place to ask, and would recommend you talk to people who know more about your KMIP system.
Or are you asking about how Cache handles key rotation for encrypted databases and/or managed key encryption? If so, this is mostly up to the user. There isn't automatic re-keying of databases on a schedule.
In most of the DBs, we do Master Key rotation on time to time basis for security reasons. In my case, I have created a KMIP server, encrypted the database. Now I have to rotate the master key.
I don't find any documentation around rotating the master key.
Only Activation, listing, and deleting the master key.
For master key, do you mean the database encryption key, ie, the one Cache is using to encrypt the database? If so, you need to re-key the database manually if this is something you want to do. This should be an option available in the ^EncryptionKey utility in the %SYS namespace. (The older cvencrypt utility will also re-key, but is slower and does not have KMIP functionality.) The InterSystems IRIS docs cover using ^EncryptionKey for re-keying here:
https://irisdocs.intersystems.com/irislatest/csp/docbook/Doc.View.cls?KEY=GCAS_cvencrypt
If you mean a different key than the database encryption one, can you explain which one? For example, you authenticate to the KMIP server using a public/private key pair. Is this the one you mean? Something else?