How to Rotate Your Encryption Keys

Click Studios uses Symmetric Data Encryption within Passwordstate to protect your sensitive data.   It does this using 256bit AES (Advanced Encryption Standard) data encryption to encrypt (cipher) and decrypt (decipher) information. At a high level the process of encryption and decryption looks like this;

AES is the first and only publicly accessible cipher approved by the US National Security Agency (NSA) for protecting top secret information. 256bit AES is practically unbreakable by brute force based on current computing power, making it the strongest encryption standard available.  In short, by using symmetric encryption algorithms, data is converted into a form that cannot be understood by anyone not possessing the secret key to decrypt it.

NIST the National Institute of Standards and Technology, recommends that Symmetric Data Encryption Keys be changed every 2 years, or earlier based on an organization’s risk factors.  Your Passwordstate Encryption Keys shouldn’t be “set and forget”, they should be managed and rotated on a regular basis.

But Before You Start…

Make sure you have a backup of your Passwordstate Database and take a copy of your Web.config file.  The built-in Backup functionality is perfect for taking a backup and you can do this by navigating to Administration->Backups and Upgrades->Backup Now

If you’ve never used the built-in functionality, you’ll need to configure settings first under Administration->Backups and Upgrades->Settings.  Information on how to do this can be found here for both Domain and Workgroup implementations.

Follow the Bouncing Ball…

Now that you’ve taken a backup of your Passwordstate database and have a copy of your Web.config file you’re ready to get started.  And it really is as easy as following the bouncing ball! 

Under Administration->Encryption Keys you’ll find 2 buttons, Export Keys and Key RotationExport Keys allows you to create a password protected Zip file containing your Encryption keys and we’ll cover more on that later.  First, we’re going to focus on Key Rotation.  To get started click on the Key Rotation button,

You’ll now be prompted to ensure you have a backup of your Passwordstate Database and a copy of your Web.config file.  Take the time to read through the information before clicking on the box next to I have read the notification above and understand some action is required of me before and after the key rotation.  If this check box isn’t ticked then you won’t be able to proceed with the Key Rotation.  Once you’re ready, and you’ve ticked the check box, you can click on the Begin Key Rotation button,

As you can see in the image above, The Encryption Key Rotation screen lists all of the tables, the number of records in each table and the Status for each.  To commence the rec-encryption process click on the Re-Encrypt Data button.

The status symbol of a Clock means that table hasn’t been re-encrypted yet.  The status of a Tick means the table has now been re-encrypted and the Flashing Blue Squares identifies the current table being re-encrypted.  A Status message of Please Wait… is shown at the bottom left-hand-side of the display grid listing the tables. 

As the tables are re-encrypted, they will cycle off the first page of the display grid and be replaced by tables awaiting to be re-encrypted.  When there are less tables awaiting to be re-encrypted, than take up the full display grid, you’ll start to see those tables that have been completed (shown by a status of Tick) moving back up the display grid.  Once complete you’ll be taken to the Key Rotation Complete Screen.  Again, take the time to read through the information before clicking the Start Passwordstate button.  This will log you off and you will need to log back into Passwordstate.

Don’t Forget… Take a copy of your New Encryption Keys

Now, cycling back to the Export Keys button.  Once you’ve successfully rotated your encryption keys it’s good practice to take a copy of them.  This can be done by navigating to Administration->Encryption Keys and clicking on the Export Keys button.  You’ll be taken to the Export Encryption Keys screen which tells you that the split secrets that make up your Passwordstate Encryption Keys are exported via a Password Protected ZIP file.  To begin the export process, click on the Export Keys button,

This will pop up the Password Protected Zip File dialog, which will require you to supply a password for the Zip file.  You will also be required to check the box stating that you cannot use the native Windows Compression to extract the contents of the Zip file.  Once that’s done you can click on the Export Keys button to create the Zip file containing the exported encryption keys.

The process of rotating your Passwordstate Encryption Keys is that simple and the effort required to rotate them is minimal.  There really is no reason not to be managing them appropriately.

We’d love to hear your feedback, send it to

Guide to set up Folder Structure and Permissions

You’ve decided that managing your organization’s passwords is essential.  You’ve selected a Password Management System that has the level of security you need, while retaining the flexibility to meet individual stakeholder’s requirements.  … [Continue reading]

Troubleshoot HA Polling Issues

We’ve recently had a few technical support calls querying how to diagnose High Availability issues.  To make things easier, with identifying the health of all Passwordstate Servers, we included the health status under the Authorized Web Servers … [Continue reading]

Where Can You Upload Documents in Passwordstate?

One of the key remits, or areas for active consideration for our development team, is the flexibility of use of Passwordstate. Since its first release, way back in August 2004, our developers have continually looked at how they can add flexibility … [Continue reading]

Self Destruct Messaging Implementations

Passwordstate includes a Self Destruct Messaging portal as part of the core software.  Self Destruct Messaging typically allows you to send emails or messages within an application, containing content considered to be highly confidential, to be … [Continue reading]

New Upgrade Process

With the release of Passwordstate V9 Build 9300 we’ve changed the way that Passwordstate is upgraded.  The old In-Place Upgrade Capability is deprecated and no longer functions for any previous build of Passwordstate.  If you try to perform … [Continue reading]

Linking Multiple Websites to One Password Credential

Our Technical Support Team recently assisted a customer with an issue related to form-filling credentials for a website where the website redirects to a secondary page.  This can happen when the primary URL for the website redirects the user to … [Continue reading]

Dipping the Big Toe in the Water – Trialling Scheduled Password Resets

We were having this discussion the other day about “dipping your toe into the water” and one of the new hires in our Technical Support Team had never heard the saying before.  So… the hunt was on during lunch to find the history of the … [Continue reading]

Configuring the Brute Force IP Lockout Feature

Brute Force Attacks use a process of trial-and-error to guess the right credentials.  The attack works by using repeated sequential attempts to try and guess your username and password combination and force their way into your private … [Continue reading]

Base Passwordstate Installation in Azure and AWS

­­­­­­Passwordstate is marketed as an on-premise web based solution for Enterprise Password Management.  However, “on-premise” doesn’t really mean it has to be based out of a physical bricks and mortar location.  On premise really means … [Continue reading]