Using the Key Management settings page, the on-premises customers can rotate the primary key used to encrypt sensitive data in the Workspace ONE UEM database.

The factors of this encryption are split between the database, where the primary key resides, and the application servers, where a separate key encrypting key (KEK) resides. Configuring this feature is a multi-step process that requires access with administrator permissions to all Workspace ONE UEM servers and system administrator privileges at the global-level organization group in the Workspace ONE UEM console.

What can you do with the Key Management settings page?

The path to the settings page on the UEM console is Groups & Settings > All Settings > System > Security > Key Management.

With the Key Management settings page, you can:
  • Generate an installation file that must be run on each Workspace ONE UEM server that require data access.
  • Initiate the primary key rotation and also stop the rotation in case of an issue.

Generate New Key Installation File

Setting Description
Passphrase / Confirm Passphrase Enter and confirm a strong passphrase. You must remember this passphrase for future use.
Generate Select this button to generate the KEK and the primary key. Selecting this option reveals the Installation File and Download button.
Download Select to download the install.config file. After you download this file, you have 48 hours to complete the next step, as after this time the primary key will be active.

Select this button if something goes wrong, such as losing or forgetting the passphrase, and the rotation must be stopped. You can do so provided the cancellation happens before the 48 hours. After 48 hours, the rotation cannot be stopped. Be sure to keep the passphrase safe, as recovering data that has been encrypted with the new, rotated key after 48 hours is not possible.

Recover In some cases you may see a Recover button next to Cancel, indicating that the configuration file may have expired. In this case, you do not need the passphrase to cancel.

Next Steps

Using the install.config file from the UEM console, install the KEK to all Workspace ONE UEM servers using the Key Installation Utility. To do this, execute the following command on each Workspace ONE UEM Server:

Utility.exe -f /path/to/install.config

If install.config is in the same directory as the utility, all command-line arguments can be omitted. After you run these commands, the installation completes.