Manage the Cryptography Keys

This section explains how to manage the cryptography keys used to protect sensitive information and assure integrity of data in the ActivID Appliance database.

The keys are managed in consistent key set of five keys for the following roles:

  • AUDIT – Audit signature

  • CREDS – User credentials are encrypted with the key role (replaces the des and DeviceSecretsKey keys of previous versions of the ActivID Appliance)

  • DSIGN – Database row integrity signature (DataSignature)

  • SESSION – sessions (ALSI)

  • SYS – System credentials (adapter parameters) (replaces the ParameterValueKey key of previous versions of the ActivID Appliance)

The following naming convention is used for the key aliases:

<PREFIX>.<Key Role Type>.<version>

Where:

  • <PREFIX> – to make sure that the names remain unique, a specific prefix 'HID-IA-4T’ is used for all the ActivID Appliance key aliases. This prefix is not configurable.

  • <Key Role Type> – is mandatory and is part of the key set (see previous list).

  • <Version> – number version of the key (incremented with renewal).

Based on this convention, the default key set (shared by all domains):

Key Role Key Type Alias – shared

AUDIT

AES 256

HID-IA-4T.AUDIT.1

CREDS

AES 256

HID-IA-4T.CREDS.1

DSIGN

AES 256

HID-IA-4T.DSIGN.1

SESSION

AES 256

HID-IA-4T.SESSION.1

SYS

AES 256

HID-IA-4T.SYS.1
Note: ActivID Appliance server expects the key aliases to be in uppercase characters as defined by the naming convention. However, case-sensitivity in keystores is (soft or HSM) implementation dependent.
Note:  
  • The renewal process might take several minutes during which the audit data will be archived and deleted, the database re-encrypted and the applications restarted.
  • It is recommended that you back up the appliance and archive the audit data before renewing the keys.

Renew the Software Keys

  1. Log on to the ActivID Console and, under System in the left menu, select Cryptography.

  1. Click Renew Keys.

  1. Click Yes, proceed.

  1. Wait for the renewal process to complete.

  1. Click Done.

Renew the External HSM Keys

  1. Log on to the ActivID Console and, under System in the left menu, select Cryptography.

  1. Click Renew Keys.

  1. Click Yes, proceed.

  2. Wait for the renewal process to complete.

  1. Click Done.

Note: For further information about configuring and managing an external HSM, see Managing External HSMs.