Question
· May 26, 2020

Requesting assistance on Intersystems Cache Managed Key Encryption

 Requesting assistance on Intersystems Cache Managed Key Encryption.

We have configured the KMIP Server.

The KMIP server is an external HSM box. I was not able to find any info on Key Rotation and what type of encryption does it follow i.e. 1-tier approach or 2-tier approach.

Can someone please assist on the same?

Discussion (3)0
Log in or sign up to continue

Are you asking about the KMIP server and how it works?  If so, I don't think this is the right place to ask, and would recommend you talk to people who know more about your KMIP system.

Or are you asking about how Cache handles key rotation for encrypted databases and/or managed key encryption?   If so, this is mostly up to the user.  There isn't automatic re-keying of databases on a schedule.

For master key, do you mean the database encryption key, ie, the one Cache is using to encrypt the database?  If so, you need to re-key the database manually if this is something you want to do.  This should be an option available in the ^EncryptionKey utility in the %SYS namespace.  (The older cvencrypt utility will also re-key, but is slower and does not have KMIP functionality.)   The InterSystems IRIS docs cover using ^EncryptionKey for re-keying here:

https://irisdocs.intersystems.com/irislatest/csp/docbook/Doc.View.cls?KEY=GCAS_cvencrypt

If you mean a different key than the database encryption one, can you explain which one? For example, you authenticate to the KMIP server using a public/private key pair.  Is this the one you mean?  Something else?