Here are instructions for rotating CredHub encryption keys for VMware Tanzu Application Service for VMs (TAS for VMs). Encryption keys are values that CredHub uses to obscure stored secrets. When an operator marks an additional key as primary, CredHub can rotate in that additional key as the encryption key.
During this credential rotation process, the initial encryption key is used to access the hidden value, That value is then stored again by the additional encryption key.
Caution If you remove an encryption key and click Apply Changes before the rotation completes, the deployment breaks. If this happens, you can no longer access data stored with the deleted key.
To rotate TAS for VMs encryption keys:
Go to the Tanzu Operations Manager Installation Dashboard.
Click the TAS for VMs tile.
Select CredHub.
In the Encryption Keys section, click Add.
For Name, enter the name of your new encryption key.
For Key, enter your new encryption key.
Select the Primary check box.
Click Save.
Go to Tanzu Operations Manager Installation Dashboard.
Click Review Pending Changes, then Apply Changes.
To verify that the rotation completes:
Click the TAS for VMs tile.
Select the Status tab.
Within the CredHub job, locate Index 0.
In the Logs column, click the correlating download icon.
Select the Logs tab.
Click the corresponding link to the retrieve the downloaded log file.
Unzip the log file.
Unzip the larger of the two nested directories.
Tanzu Operations Manager generates a compressed file for each CredHub VM that exists on your deployment. Unzip each of these compressed files.
Open the credhub
directory.
Open the credhub.log
file. If the credential rotation completed successfully, the CredHub log contains the following string: Successfully rotated NUMBER-OF-CREDENTIALS items
Remove the old encryption key.
Click the trashcan icon that corresponds to the old encryption key.
Click Save.
Go to the Tanzu Operations Manager Installation Dashboard.
Click Review Pending Changes, then Apply Changes.