Kasten K10 Key Rotation

Scripts for automating key rotation in Kasten K10.

Vault

See the Kasten docs on how to setup encryption using Vault in Kasten and the Vault docs on key rotation in the Transit Secret Engine.

Make sure the Kasten Vault token has a policy that allows access to the Vault key. See: vault-kasten-policy-example.hcl

If you want to rotate the Vault key used in Kasten, you have to follow a three step process:

1. Create a new version of the key in Vault (i.e. trigger the /rotate API)
2. Create a new Passkey to force Kasten to re-encrypt the master key
3. Bump the min decryption version in Vault.

The old Passkey can then be deleted.

If you have a Passkey yaml file, the following script will automatically do the above:

However:

1. Make sure kubectl is set to the right context
2. Make sure vault is connected to your instance

./rotate-vault-key.sh passkey-vault-example.yaml

You can also use VAULT_CMD to override the Vault command. For example if you are running vault in Kubernetes:

export VAULT_CMD="kubectl --context vault-cluster-context -n vault exec -i vault-0 -- vault"
./rotate-vault-key.sh passkey-vault-example.yaml

KMS

See the Kasten docs on how to setup encryption using KMS in Kasten and the AWS docs on manual key rotation.

Make sure the Kasten has access to the KMS key. See:

• kasten-iam-user-policy-example.json
• kms-key-policy-example.json

If you want to rotate the KMS key used in Kasten, you have to follow a three step process:

1. Create a new key in KMS
2. Create a new Passkey with the new KMS key
3. Delete the KMS key and update the alias

The old Passkey can then be deleted.

If you have a Passkey yaml file, the following script will automatically do the above:

However:

1. Make sure kubectl is set to the right context
2. Make sure aws is configured to use the right account/region

./rotate-kms-key.sh passkey-kms-example.yaml