Changing the data encryption key for OpenPages
You can change the encryption key that is used to encrypt data in OpenPages.
Before you begin
- You are familiar with encryption keys and how to manage them.
- You know how to use the OpenPages GRC REST API or you have experience with other REST APIs.
- You can log in to the OpenPages application as a super administrator, such as OpenPagesAdministrator.
- You can log in to Red Hat® OpenShift® as a instance administrator.
About this task
Backing up the current encryption key
Back up your current encryption key.
Procedure
Backing up OpenPages
Back up your OpenPages instance.
About this task
For more information, see Backing up, restoring, and migrating OpenPages.
Decrypting data with the current encryption key
After you complete the backups, decrypt the data by using the current encryption key so that you can encrypt the data later with a new key.
Before you begin
To do this task, the application pods must be in a Running state and their readiness status must be Ready.
To authenticate to the API, you pass an access token or platform API key token in an
Authorization
header.
- To get an access token, see Using Authorization: Bearer token.
- To get a platform API key token, see Using Authorization: ZenApiKey token.
About this task
https://<cloud_pak_url>/openpages-<openpages_instance_name>-opgrc/api/v2/configuration/decrypt_with_external_key
To call the API, send an https PUT
request to the path by using an HTTPS client
with an access token or platform API key token in an Authorization
header.
- The following
curl
command shows an example of anhttps PUT
request to the path using an access token to authenticate:curl -k --location --request PUT --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Bearer <token>' 'https://<cloud_pak_url>/openpages-<openpages_instance_name>-opgrc/api/v2/configuration/decrypt_with_external_key'
- The following
curl
command shows an example of anhttps PUT
request using a platform API key token to authenticate:curl -k --location --request PUT --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: ZenApiKey <token>' 'https://<cloud_pak_url>/openpages-<openpages_instance_name>-opgrc/api/v2/configuration/decrypt_with_external_key'
The API response includes the process ID of the decryption long running process, for example
{"processId":"2927"}
In the curl
commands, replace
<cloud_pak_url>
with the URL of Cloud Pak for Data. Replace
<openpages_instance_name>
with the name of the OpenPages instance. The -k
parameter allows connections to SSL sites without
trusted certificates. This parameter is not needed if you replaced the default certificates with
your own certificate authority (CA)-signed certificates.
https://<cloud_pak_url>/openpages-<openpages_instance_name>-opgrc/api/v2/processes/<process_Id>
You can call the API by using your browser or by using an HTTPS client to send a
GET
request with an access token or platform API key token in an
Authorization
header.
- The following
curl
command shows an example of anhttps GET
request to the path using an access token to authenticate:curl -k --location --request GET --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Bearer <token>' 'https://<cloud_pak_url>/openpages-<openpages_instance_name>-opgrc/api/v2/processes/<process_Id>'
- The following
curl
command shows an example of anhttps GET
request using a platform API key token to authenticate:curl -k --location --request GET --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: ZenApiKey <token>' 'https://<cloud_pak_url>/openpages-<openpages_instance_name>-opgrc/api/v2/processes/<process_Id>'
In the response, the status attribute indicates whether the process is finished or still in
progress. You can repeat the check as needed. The process is complete when the status value is
STATUS_FINISHED_SUCCESS
.
The decryption process can take time, depending on the data volume. It takes longer especially if you have many file attachment records.
https://<cloud_pak_url>/openpages-<openpages_instance_name>-opgrc/api/v2/processes/<process_Id>/logs
Generating a new secret key
Generate a new encryption key.
About this task
OpenPages uses AES256 for data encryption. The key must be 256 bits (32 bytes) in length and it must be encoded with base64. The key must meet these requirements so it can be stored in a Kubernetes secret.
To generate a new random key, you can use a random generation tool or you can use
openssl
. The openssl
command is available on the OpenPages application server pod:
Procedure
Updating Red Hat OpenShift with the new key
Update the Kubernetes Secret in Red Hat OpenShift with the new key value.
Procedure
Restarting the application servers
Restart the application server pods and scale up to the number of replicas you want to use.
Procedure
Encrypting data with the new key
You are now ready to encrypt the data with the new encryption key.
Before you begin
To do this task, the application pods must be in a Running state and their readiness status must be Ready.
To authenticate to the API, you pass an access token or platform API key token in an
Authorization
header.
- To get an access token, see Using Authorization: Bearer token.
- To get a platform API key token, see Using Authorization: ZenApiKey token.
About this task
https://<cloud_pak_url>/openpages-<openpages_instance_name>-opgrc/api/v2/configuration/encrypt_with_external_key
To call the API, send an https PUT
request to the path by using an HTTPS client
with an access token or platform API key token in an Authorization
header.
- The following
curl
command shows an example of anhttps PUT
request to the path using an access token to authenticate:curl -k --location --request PUT --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Bearer <token>' 'https://<cloud_pak_url>/openpages-<openpages_instance_name>-opgrc/api/v2/configuration/encrypt_with_external_key'
- The following
curl
command shows an example of anhttps PUT
request using a platform API key token to authenticate:curl -k --location --request PUT --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: ZenApiKey <token>' 'https://<cloud_pak_url>/openpages-<openpages_instance_name>-opgrc/api/v2/configuration/encrypt_with_external_key'
The API response includes the process ID of the encryption long running process, for example
{"processId":"2928"}
In the curl
commands, replace
<cloud_pak_url>
with the URL of Cloud Pak for Data. Replace
<openpages_instance_name>
with the name of the OpenPages instance. The -k
parameter allows connections to SSL sites without
trusted certificates. This parameter is not needed if you replaced the default certificates with
your own certificate authority (CA)-signed certificates.
https://<cloud_pak_url>/openpages-<openpages_instance_name>-opgrc/api/v2/processes/<process_Id>
You can call the API by using your browser or by using an HTTPS client to send a
GET
request with an access token or platform API key token in an
Authorization
header.
- The following
curl
command shows an example of anhttps GET
request to the path using an access token to authenticate:curl -k --location --request GET --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Bearer <token>' 'https://<cloud_pak_url>/openpages-<openpages_instance_name>-opgrc/api/v2/processes/<process_Id>'
- The following
curl
command shows an example of anhttps GET
request using a platform API key token to authenticate:curl -k --location --request GET --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: ZenApiKey <token>' 'https://<cloud_pak_url>/openpages-<openpages_instance_name>-opgrc/api/v2/processes/<process_Id>'
In the response, the status attribute indicates whether the process is finished or still in
progress. You can repeat the check as needed. The process is complete when the status value is
STATUS_FINISHED_SUCCESS
.
The encryption process can take time, depending on the data volume, especially if you have many file attachment records.
https://<cloud_pak_url>/openpages-<openpages_instance_name>-opgrc/api/v2/processes/<process_Id>/logs
Restarting the application servers again
Restart the application server pods again.