Configuration encryption

The Master key enables encrypting sensitive configuration parameters, system backups and external storage volumes. It also allows for recovering internal storage encryption key in case the pen drives containing encryption key are lost or damaged.

Note

  • The Master key is exported to PEM format and it is encrypted with SMIME using administrator’s public key/certificate.
  • It is essential to have the Master key exported and stored in a safe location.
  • In case the Master key has been compromised, you can invalidate it, which will result in generating a new one and re-encrypting the data.

Exporting master key

  1. Select Settings > System.
  2. In the Maintenance and supervision click Export current key and save the file on the file system.
../../_images/5-1-system-export-masterkey.png
  1. Click Choose file and browse the file system to find the certificate that will be used to encrypt the Master key.

Note

  • Generate the keys and the CSR (Certificate Signing Request) using openssl:

openssl req -newkey rsa:4096 -keyout privkey.pem -out req.pem openssl req -nodes -newkey rsa:4096 -keyout privkey.pem -out req.pem # Do not prompt for a password.

  • Sign the CSR:

openssl x509 -req -in req.pem -signkey privkey.pem -out cert.pem

  1. Click Confirm and save the the Master key file.

Invalidating current master key

In case the current Master key has been compromised, you can invalidate it. Invalidating the current Master key generates a new one and triggers data re-encryption.


  1. Select Settings > System.
  2. In the Maintenance and supervision click Invalidate current key.
../../_images/5-1-system-invalidate-masterkey.png
  1. Click Confirm to proceed with invalidating the current key and re-encrypting the data.
  2. Make sure to export the newly generated key.

Related topics: