Manage the Cryptography Keys

This section explains how to manage the cryptography keys used to protect sensitive information and assure integrity of data in the ActivID Appliance database.

The keys are managed in consistent set of five AES-256 symmetric keys with specific roles and naming convention for the key aliases:

<PREFIX>.<Key Role Type>.<version>

Where:

  • <PREFIX> – to make sure that the names remain unique, a specific prefix 'HID-IA-4T’ is used for all the ActivID Appliance key aliases

    This prefix is not configurable.

  • <Key Role Type> – is mandatory and is part of the key set

  • <Version> – number version of the key (increment with renewal)

Based on this convention, the default key set (shared by all domains) that you need to generate using the HSM tools is:

Key Role Key Type Alias – shared Key Usage Key Role

AUDIT

AES 256

HID-IA-4T.AUDIT.1

 Signature Audit signature

CREDS

AES 256

HID-IA-4T.CREDS.1

 Encryption User credentials encryption (replaces the des and DeviceSecretsKey keys of previous versions of the ActivID Appliance)

DSIGN

AES 256

HID-IA-4T.DSIGN.1

 Signature Database row integrity signature

SESSION

AES 256

HID-IA-4T.SESSION.1

 Encryption ALSI sessions encryption/decryption

SYS

AES 256

HID-IA-4T.SYS.1

 Encryption System credentials encryption/decryption (adapter parameters, replaces the ParameterValueKey key of previous versions of the ActivID Appliance)
Note: The ActivID Appliance server expects the key aliases to be in uppercase characters as defined by the naming convention. However, case-sensitivity in keystores is (soft or HSM) implementation dependent.

Therefore, when the HSM keys are created or renewed using a manual process (using HSM dependent tools), it is recommended that you always use the uppercase key aliases.

Important:  
  • The renewal process might take several minutes during which the audit data will be archived and deleted, the database re-encrypted and the applications restarted.
  • It is recommended that you back up the appliance and archive the audit data before renewing the keys.

Renew the Software Keys

  1. Log on to the ActivID Console and, under System in the left menu, select Cryptography.

  1. Click Renew Keys.

  1. Click Yes, proceed.

  1. Wait for the renewal process to complete.

  1. Click Done.

Renew the External HSM Keys

  1. On your HSM, create the new set of keys based on the naming convention detailed above and incrementing the version.

    For example:

    Existing Key Set New Key Set

    HID-IA-4T.AUDIT.1

    HID-IA-4T.AUDIT.2

    HID-IA-4T.CREDS.1

    HID-IA-4T.CREDS.2

    HID-IA-4T.DSIGN.1

    HID-IA-4T.DSIGN.2

    HID-IA-4T.SESSION.1

    HID-IA-4T.SESSION.2

    HID-IA-4T.SYS.1

    HID-IA-4T.SYS.2

  2. Log on to the ActivID Console and, under System in the left menu, select Cryptography.

  1. Click Renew Keys.

  1. Click Yes, proceed.

  2. Wait for the renewal process to complete.

  1. Click Done.

Note: For further information, see Managing External HSMs.