You can use workflow to rotate the master keys of storage policy copies in a CommCell environment. This operation revokes current master key and generates a new master key with the key management server. The software uses the master key to encrypt RSA private key of storage policy copy. The RSA public key and the RSA private key remain the same after key rotation. So, the old jobs that are encrypted with the previous master key can be decrypted.
To rotate the master Key for a storage policy copy, you can use command line.
Before You Begin
You must turn off the automatic key rotation option available with the KMS provider.
Procedure
-
From the CommCell Browser, go to Workflows.
-
Download the workflow Rotate encryption master keys from the Commvault Store by following the instructions in Download Workflows from Commvault Store.
-
Right-click Rotate encryption master keys, and then click All Tasks > Deploy to deploy the workflow
-
Right-click Rotate encryption master keys again, and then click All Tasks > Execute to run the workflow.
The Rotate encryption master keys Options dialog box appears.
-
From the Run workflow on list, select the workflow engine to use to execute the workflow.
If you select Any, the workflow engine with the latest deployed version of the workflow is used.
-
In the Key Rotation Interval (in days) box, specify the time interval to rotate the keys that are not rotated in the past. For example, if you specify 30 days, then the keys that are not rotated in the past 30 days are rotated.
-
Click OK.
What to Do Next
Schedule the workflow to run once in a day to rotate keys periodically with the given rotation interval.