| Prerequisites |
|---|
| You’re familiar with the process of generating key pairs or importing them. |
| You’re familiar with the functionality of the Key Pair Details page. |
| You’re familiar with the bulk modification process. |
One of the best practices in OpenPGP encryption is key rotation. The Enterprise Admin Panel (EAP) supports this option, enabling the replacement of the original key with a new one that maintains identical user IDs and user associations.
How to rotate keys manually
1. To rotate a key, choose the key, and click on its fingerprint to view more details:
2. Then, click the Rotate button:
3. You’ll be redirected to a confirmation page with a summary of the changes that will be made:
2024-02-29, accounting for an additional two months from the modification 2023-12-31 date. It can be configured using the keygen.rotation.set.superseded.key.pair.expiration.days configuration property, which is set to 60 by default in the Email Key Manager or Enterprise Server properties file.
4. Once the key is rotated successfully, you can click the fingerprint labeled Superseded by to see the details of the new key:
keygen.key.pair.expiration.days configuration property, which is set to 365 by default in the Email Key Manager or Enterprise Server properties file.
Conversely, if you’d like to view the original key details, you can click on the fingerprint specified in the Supersedes field from the Key Pair Details page of the newly generated key:
From this moment, both the original and new keys will be active until the original one expires.
How to rotate keys in bulk
To rotate keys in bulk, click on Filters and select the keys you want to rotate using the available filters.
1. In this example, we’re selecting keys that expire before 2025-01-01 (YYYY-MM-DD). Once the appropriate filter is set, click on the Search button:
2. Sometimes your search result can include revoked keys:
3. In such cases, you can apply an additional filter to select only valid key pairs, as you can’t rotate revoked keys. Once the second filter is set, click on Bulk modify to initiate bulk modifications of keys:
4. This will redirect you to a new page where you can choose from various bulk modification types. Select rotate keys from the dropdown menu options and click Confirm Modification Type:
5. The new page will display the summary of the upcoming changes. Click on Confirm Bulk Modification to start the rotation process:
keygen.rotation.set.superseded.key.pair.expiration.days configuration property set to 60 by default in the Email Key Manager or Enterprise Server properties file, to control how many days the original key should remain valid.
6. A notification message will appear after the process finishes:
keygen.key.pair.expiration.days property in the Email Key Manager or Enterprise Server properties file.
Here is one of the newly generated keys. It has the same user ID and user association:
You can click on the fingerprint specified in its Supersedes field to see the original key:
The validity period of the newly generated key will be set according to your configuration, as described in the previous section.
How to rotate keys automatically
Our Enterprise Admin Panel allows you to configure automatic key rotation. Please refer to the Configure Automatic Lifecycle Actions with Orchestrator guide for more details.