Skip to main content

Privacera Documentation

Table of Contents

Rollover encryption keys on Privacera Platform

Privacera uses Apache Ranger to encrypt data. You can rollover encryption keys from the Apache Ranger UI or using the REST API /keys/key. If a key was used to encrypt several terabytes of data, it would be computationally intensive and time-consuming to rollover the keys. During the key rollover process, which first decrypts the data using existing keys and then re-encrypts the data using the new keys, your data is not available.

To overcome this challenge, Privacera encrypts Data Encryption Keys (DEKs) that are used to encrypt the data. A separate set of keys called Key Encryption Keys (KEKs) are used to encrypt the DEKs. The term “rollover” means rotating the KEKs instead of the DEKs. Even if you have ten thousand keys, the process to rotate the KEKs can be completed extremely quickly.

To rollover encryption keys using Apache Ranger:

  1. Log in to Ranger at https://<your_privacera_hostname>:6080 using “keyadmin” credentials.

  2. Hover your cursor over the Encryption menu item and select Key Manager.

  3. From the Select Service dropdown menu, select privacera_kms.

    The current key entries are displayed.

  4. Click the pencil icon for the key you want to rollover.

  5. Click OK rollover.

    The Ranger rollover Key API is called, which decrypts the DEKs that were encrypted using the previous key, creates a new key, and encrypts the DEKs using the newly generated key.