We recently published a blog on how easy it was to rotate your Passwordstate Encryption Keys https://blog.clickstudios.com.au/how-to-rotate-your-encryption-keys/. Since then we’ve released V9 Build 9350 which introduces a number of related features.
Key Rotation Reminder
NIST recommends a life span of up to two years for Symmetric Data Encryption keys. This is the type of encryption key used by Passwordstate and Click Studios strongly recommends that customers manage and rotate their Passwordstate encryption keys on a regular basis. Please note that while the NIST standard is for up to 2 years, the environment in which it is used, the characteristics of the data being protected along with your organization’s risk factors need to be taken into account.
With this in mind, Passwordstate now allows you to set a notification prompting you to update your Encryption keys. This can be found under Administration->Encryption Keys as per the image below,
The options provided are for 6, 12, 18 or 24 months. The reminder works by sending a message to the Notification area located in the top right-hand side of the UI (User Interface). The notification sent is;
Encryption Key Rotation Reminder. Best Practise recommends it’s time to generate new encryption keys, and re-encrypt your data. This can be done on the screen Administration -> Encryption Keys.
This notification is only a reminder and there is no enforced rotation of encryption keys. The reminder is only visible to Security Administrators that have been granted access to the Encryption Keys Role under Administration->Security Administrators.
Confirming the Encryption Used
When Passwordstate is first installed you have the option of installing it to use either 256 Bit AES Encryption or FIPS 140-2 (Federal Information Processing Standards) Encryption. Click Studios recommends installing your Passwordstate instance to use the default 256 Bit AES Encryption unless you are mandated by the United States Government to configure your Microsoft Windows environment in FIPS compliance mode.
If you’re unsure what encryption is currently being used in your Passwordstate instance, simply navigate to Administration->Passwordstate Administration and look at FIPS Encryption. If you are using the default 256 Bit AES Encryption the value will be set to No. If you are running FIPS Encryption then the value will be set to Yes,
Changing the type of Encryption Used
For the purpose of the blog, you’ve confirmed the type of encryption used (256 Bit AES Encryption) and need to change to FIPS encryption. The first thing that is required is to obtain a FIPS version of your license keys. To do this you’ll need to request a copy from Click Studios sales team via sales@clickstudios.com.au. When requesting the FIPS license keys you’ll need to send through an image of your License Information screen with all license Keys fully visible (the screen below has the keys redacted),
Once you’ve received the new license keys you’re ready to start. Navigate to Administration->Encryption Keys-> Encryption Key Rotation and make sure to read the information provided. Once you’ve completed any required steps, you’ll need to Enable Maintenance Mode, return to the Previous screenand then click Begin Key Rotation,
And So It Begins
The first thing you are prompted for is to confirm you’ve read the notifications and understand that action is required by you, and if you want to migrate from the standard AES 256 Bit Encryption to the FIPS 140-2 Encryption. Tick both boxes and then click on Begin Key Rotation.
You’ll now be able to update the license keys in the Update License Information screen with the updated keys provided by Click Studios Sales. Copy and paste each key into it’s respective field, ensuring there are no leading or trailing spaces (the keys in the image below have been redacted), and then click Next,
You will now be taken to the Encryption Key Rotation screen showing all the Tables and Records that will be re-encrypted with the new FIPS based keys. To commence the process, click on Re-Encrypt Data. The image below shows the data being re-encrypted with the tick symbol showing completed tables and the clock symbol showing tables and records still to be processed,
When the process is complete the Key Rotation Complete screen is presented. Again, please read the details presented, undertake any post Key Rotation tasks as advised and then click on the Start Passwordstate button,
Once you have logged back into Passwordstate you can check that you’ve been re-encrypted using FIPS 140-2 encryption by navigating to Administration->Passwordstate Administration and look at FIPS Encryption. It will now show FIPS Encryption set to Yes,
And proving you can change it back again
And for the purpose of this blog, I’ve changed our demo environment back again by running the same process and re-encrypting using AES 256 Bit Encryption.
Restrictions on Usage
The type of keys you use are registered in our internal licensing portal and are used for automatically generating your license keys on renewal of your Annual Support and Upgrade Protection. If you ask for FIPS keys and then decide to use your AES keys you will need to let us know. Otherwise we’ll generate new license keys in the incorrect format.
Customers with Global Licenses will need to use either the 256 Bit AES Encryption or FIPS 140-2 keys. It is not possible to have both sets recorded in our internal Licensing Portal and renewed automatically.
Tracking when to rotate your encryption keys, and converting between AES and FIPS encryption (and vice versa) is easy under V9 Build 9350. We hope this information helps you to understand the process and would love to hear any feedback via support@clickstudios.com.au