The data that is stored in your Event Endpoint Management instance is encrypted. The data is encrypted with a data encryption key, and the data encryption key itself is encrypted with a master key.
When an Event Endpoint Management instance is created, a secret called <instance-name>-ibm-eem-mek is created. This secret contains the master key for decrypting the stored data.
Important: If you enabled persistence for your Event Endpoint Management instance and set the deleteClaim storage property to false, a backup of the <instance-name>-ibm-eem-mek secret is created. This backup secret is not automatically deleted when you uninstall an Event Endpoint Management instance. Therefore, the backup of the master key is still available to decrypt persisted data.
The master key is responsible for encrypting the data encryption key, which encrypts the Event Endpoint Management data. While the master key is stored in the secret <instance-name>-ibm-eem-mek, the data encryption key is stored in the disk space and is not exposed.
The separation of the master key and the data encryption key means there is usually no reason to rotate the data encryption key. The rotation of the master key, which is used to protect the data encryption key, can be done efficiently without the need to decrypt and re-encrypt the data itself.
Rotating the encryption key
Instead of the master key provided by Event Endpoint Management, you can encrypt the data encryption key with a custom key you create. The value of the custom key must be a Base64-encoded string, and use the Advanced Encryption Standard (AES) algorithm.
To create a custom key and use it instead of the master key:
-
Create a new encryption key by running the following
opensslcommand:$ openssl enc -aes128 -k secret -P -md sha1 -pbkdf2 -iter 65535An output similar to the following is displayed:
salt=194B6AEFEDBF7FCE key=<key> iv =0AC601AB78B3623D1F3C0B190BFF0058Where
<key>is the new encryption key.Important: This command is based on
openssl. You can use any method to produce an AES key. If thekeyandivare generated with another tool, you must verify that the output is hex-encoded and that the size of the key for the 128-bit key is 32 characters. -
Create a secret with the encryption key that you generated in the previous step:
$ cat <<EOF | kubectl apply -f - kind: Secret apiVersion: v1 metadata: name: <name> data: encryption-main-key: <key> type: Opaque EOFWhere:
<name>is the name of the secret.<key>is the encryption key that you generated earlier.
-
After the secret is created, edit the
EventEndpointManagementcustom resource to setspec.manager.storage.rotationSecretNameto the name of the secret.The Event Endpoint Management operator starts the rotation of the encryption key. The rotation to use the custom key is complete when the
EventEndpointManagementcustom resource reports status asReady. -
Validate that the rotation was successful by checking whether the values of
<instance-name>-ibm-eem-mekare the same as the rotation secret that you created earlier. -
You can remove the
spec.manager.storage.rotationSecretNamefield from theEventEndpointManagementcustom resource and delete the rotation secret.Note: Remove the
spec.manager.storage.rotationSecretNamefield after completing the previous steps to avoid errors that might occur within the operator when the operator tries to find a secret that does not exist.
Your data encryption key is encrypted with the new custom master key that you created.