How to Rotate CS:Govern Encryption Keys

This article applies to CS:Govern installations which choose to use the built-in encryption key generation/management system. The built in system uses what is native to the respective database (for example: PostgresSQL uses AES256 keys and pgcrypto) and this is what most installations use. This article also applies to installations that have opted to manage their own keys.

When encryption keys are rotated:

• New encryption keys are computed and stored in CS:Govern as the current keys.
• Future encryption will be performed with the new keys.
• Previously encrypted records will continue to use their original keys until a database update/insert forces them to use the new keys.

The key rotation operation is simple:

• Select Tools => Rotate Encryption Keys option from the application menu bar in the top left of the application GUI..
• Click on the Rotate Encryption Keys button.

Once done, the new encryption keys are installed in the default CS:Govern key store and will be used for future protection.