Encrypting your data

The data that is stored in your Event Processing instance is encrypted. The data is encrypted with a data encryption key, and the data encryption key itself is encrypted with a master key.

When an Event Processing instance is created, a secret called <instance-name>-ibm-ep-mek is created. This secret contains the master key for decrypting the stored data.

Important: If you enabled persistence for your Event Processing instance and set the deleteClaim storage property to false, a backup of the <instance-name>-ibm-ep-mek secret is created. This backup secret is not automatically deleted when you uninstall an Event Processing instance. Therefore, the backup of the master key is still available to decrypt persisted data.

The master key is responsible for encrypting the data encryption key, which encrypts the Event Processing data. While the master key is stored in the secret <instance-name>-ibm-ep-mek, the data encryption key is stored in the disk space and is not exposed.

The separation of the master key and the data encryption key means that there is usually no reason to rotate the data encryption key. The rotation of the master key, which is used to protect the data encryption key, can be done efficiently without the need to decrypt and reencrypt the data itself.

Rotating the encryption key

Instead of the master key provided by Event Processing, you can encrypt the data encryption key with a custom key you create. The value of the custom key must be a Base64-encoded string, and use the Advanced Encryption Standard (AES) algorithm.

To create a custom key and use it instead of the master key:

Create a encryption key by running the following openssl command:
```
$ openssl enc -aes128 -k secret -P -md sha1 -pbkdf2 -iter 65535
```
An output similar to the following is displayed:
```
salt=194B6AEFEDBF7FCE
key=<key>
iv =0AC601AB78B3623D1F3C0B190BFF0058
```
Where <key> is the new encryption key.

Important: This command is based on openssl. You can use any method to produce an AES key. If the key and iv are generated with another tool, you must verify that the output is hex-encoded and that the size of the key for the 128-bit key is 32 characters.
Create a secret with the encryption key that you generated in the previous step:
```
$ cat <<EOF | kubectl apply -f -
kind: Secret
apiVersion: v1
metadata:
  name: <name>
data:
  encryption-main-key: <key>
type: Opaque
EOF
```
Where:
- <name> is the name of the secret.
- <key> is the encryption key that you generated earlier.
After the secret is created, edit the EventProcessing custom resource to set spec.authoring.storage.rotationSecretName to the name of the secret.

The Event Processing operator starts the rotation of the encryption key. The rotation to use the custom key is complete when the EventProcessing custom resource reports status as Ready.
Validate that the rotation was successful by checking whether the values of <instance-name>-ibm-ep-mek are the same as the rotation secret that you created earlier.
You can remove the spec.authoring.storage.rotationSecretName field from the EventProcessing custom resource and delete the rotation secret.

Note: Remove the spec.authoring.storage.rotationSecretName field after completing the previous steps to avoid errors that might occur within the operator when the operator tries to find a secret that does not exist.

Your data encryption key is encrypted with the new custom master key that you created.