Database Protection
The CORE database is protected at-rest by the system-specific Data Encryption Key (DEKData Encryption Key - the key that encrypts the database. See also - KEK.). This key is permanent. At-rest it is protected by the system-specific Key Encryption Key (KEK
Key Encryption Key - Used to encrypt the data encryption key (DEK).) and re-encrypted when its KEK
Key Encryption Key - Used to encrypt the data encryption key (DEK). is rotated.
Note
It is a common database protection practice to rotate the KEKKey Encryption Key - Used to encrypt the data encryption key (DEK). and re-encrypt the DEK
Data Encryption Key - the key that encrypts the database. See also - KEK.. The database itself remains encrypted by the same DEK
Data Encryption Key - the key that encrypts the database. See also - KEK..
The database protection infrastructure includes three files located in the following folder:

/var/lib/ekm/data/key/

C:\ProgramData\Dyadic\ekm\data\key\
The files are:
- key.data - contains encrypted DEK
Data Encryption Key - the key that encrypts the database. See also - KEK..
- key.info - specifies the location of KEK
Key Encryption Key - Used to encrypt the data encryption key (DEK)., its name and the protection method, and how it should decrypt the DEK
Data Encryption Key - the key that encrypts the database. See also - KEK..
- key.jks - the default location of KEK
Key Encryption Key - Used to encrypt the data encryption key (DEK)..
DEK Metadata
The DEKData Encryption Key - the key that encrypts the database. See also - KEK. is decrypted according to the settings stored in the
key.info
file:
- The
location
of KEKKey Encryption Key - Used to encrypt the data encryption key (DEK)., its
name
in andprotection
method. - The
algorithm
to be used by the obtained KEKKey Encryption Key - Used to encrypt the data encryption key (DEK). to decrypt the DEK
Data Encryption Key - the key that encrypts the database. See also - KEK..
For example, the default key.info
includes the following parameters:
store_file=/var/lib/ekm/data/key/key.jks
store_type=JCEKS
store_password=********************
provider_name=SunJCE
key_name=EKM
algorithm=RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING
Default KEK
By default, CORE keeps the KEKKey Encryption Key - Used to encrypt the data encryption key (DEK). in the passphrase-protected Java keystore (JKS
A Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption.). The key, keystore, and its protection are created during the server's bootstrap. During the EKM
Enterprise Key Management - previous name of the product. Service start, the system obtains the KEK
Key Encryption Key - Used to encrypt the data encryption key (DEK). from its keystore, decrypts the DEK
Data Encryption Key - the key that encrypts the database. See also - KEK., and uses it to decrypt the rest of the database in the memory.
Rotating KEK in a Server
To replace the default KEKKey Encryption Key - Used to encrypt the data encryption key (DEK). keystore and key, run
java -jar <path>/ekmconfig.jar
. It updates or creates a keystore with the new KEKKey Encryption Key - Used to encrypt the data encryption key (DEK)., re-encrypts the DEK
Data Encryption Key - the key that encrypts the database. See also - KEK., and updates the DEK
Data Encryption Key - the key that encrypts the database. See also - KEK. metadata.
Syntax:
java -jar <path to ekmconfig.jar> -database -protect
-n,--name <new-KEK name>
-p,--provider <new-KEK Java Security Provider name>
-t,--type <new-KEK Java security provider type>
[-a,--algorithm <cypher to be used with the DEK>] (default: RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING)
[-f,--file <new-KEK keystore file name. Applicable to the SunJCE provider>]
[-w,--password <new-KEK keystore password. Applicable to the SunJCE provider>]
[-o,--port <the port specified in the server bootstrap procedure>] (default: 443)
Note
The location of ekmconfig.jar
is OS-specific. See Java Security Provider Jar.
Quickstart - Rotating KEK in JKS
In this quickstart, we rotate the KEKKey Encryption Key - Used to encrypt the data encryption key (DEK).:
- Generate a new key using Java security provider: -providername SunJCE, -storetype JCEKS.
- Declare the generated key as the new KEK
Key Encryption Key - Used to encrypt the data encryption key (DEK)..
- Instruct it to use the
RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING
algorithm to encrypt and decrypt the DEKData Encryption Key - the key that encrypts the database. See also - KEK..
Steps:
- Change your working directory to the location of the new keystore location.
- Generate a new KEK
Key Encryption Key - Used to encrypt the data encryption key (DEK). (
myKEK
): - Run the
ekmconfig
tool (on RHEL platforms):
keytool -genkeypair -keyalg RSA -keysize 2048 -alias myKEK \
-dname "CN=myCN" keystore ./myKS.jks -storepass myKEK1! \
-providername SunJCE -storetype JCEKS
sudo java -jar /usr/lib64/ekmconfig.jar -database -protect \
-n newKEK -p SunJCE -t JCEKS -f ./newKEK.jks -w ********* \
-a RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING
Note
If the ekmconfig.jar
command does not recognize the specified --provider
or --type
, run the command with the --verbose
option. Among the other things, it lists all supported provider names and their keystore types.
Managing KEK in HSM
The default KEKKey Encryption Key - Used to encrypt the data encryption key (DEK). may be replaced ("rotated") by a key in HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. CORE Database Protection using HSM.
The database of a CORE system is:
- Spread across EP and its Partner.
- Replicated among all EPs and Partners.
- At rest, it is encrypted on each server by its DEK
Data Encryption Key - the key that encrypts the database. See also - KEK..
The DEKData Encryption Key - the key that encrypts the database. See also - KEK. keys are specific to each server and protected by their individual KEKs. If organization policy demands that KEK
Key Encryption Key - Used to encrypt the data encryption key (DEK). must be protected by HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing, then the default KEKs of all EP and Partner servers in a cluster must be replaced by keys located in HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing(s).
In such a case, all servers may share the same KEKKey Encryption Key - Used to encrypt the data encryption key (DEK). or use individual KEKs, as shown in the following illustration.
Rotating KEK in HSM
To ensure that DEKData Encryption Key - the key that encrypts the database. See also - KEK.'s metadata is properly updated and DEK
Data Encryption Key - the key that encrypts the database. See also - KEK. is re-encrypted using the new version of KEK
Key Encryption Key - Used to encrypt the data encryption key (DEK)., the key rotation of KEK
Key Encryption Key - Used to encrypt the data encryption key (DEK). must follow the same procedure as specified in Rotating KEK in a Server. In particular
- A new key must be created in HSM
Hardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing
- Each server should execute the
java -jar <path to ekmconfig.jar> -database -protect
procedure referring to the new key. See details in CORE Database Protection using HSM.