You can use Rotate encryption master keys workflow to rotate master keys. This operation revokes current master key and generates a new master key with the key management server. This workflow rotates CommCell level password encryption master key and Storage Pool level data encryption master key.
If you want to perform a one-time key rotation, run the workflow manually once.
To enable periodic key rotation (for example, every 90 days), set the key rotation interval to 90 days and schedule the workflow to run daily. In this configuration, the workflow runs every day, checks for keys older than 90 days, and automatically rotates them.
To rotate the master Key for a storage policy copy, you can use command line.
Before You Begin
You must turn off the automatic key rotation option available with the KMS provider.
Procedure
-
From the CommCell Browser, go to Workflows.
-
Download the workflow Rotate encryption master keys from the Commvault Store by following the instructions in Download Workflows from Commvault Store.
-
Right-click Rotate encryption master keys, and then click All Tasks > Deploy to deploy the workflow
-
Right-click Rotate encryption master keys again, and then click All Tasks > Execute to run the workflow.
The Rotate encryption master keys Options dialog box appears.
-
From the Run workflow on list, select the workflow engine to use to execute the workflow.
If you select Any, the workflow engine with the latest deployed version of the workflow is used.
-
In the Key Rotation Interval (in days) box, specify the interval for rotating the master keys.
-
To enable periodic key rotation, click the Schedule tab, and configure the schedule for workflow execution. For more information, see Schedule the workflow.
-
Click OK.