What are existing practices for encryption / decryption / key rotation for Java Web apps

Question

I need to encrypt user entered data in my java based web-application (using jasypt) which is persisted in a MySQL Database and I want to be able to change the encryption key/passphrase in a regular interval (e.g. 90 days). The application lives on a server in the web.

The existing already encrypted data would need to be reencrypted with the new key, but in order to do so it would of course need the old key.

1. What are common practises to rotate the keys?
2. What are common ways to make the encryption keys available to the system (e.g. System properties passed via commandline, encrypted properties files, downloading from another server via https)

I expect there is no single answer to this but I would like to get some hints, pointers and buzzwords to investigate in the right direction.

Answer 1

First off, it is important to understand the purpose of key rotation. Your use case is to encrypt data at rest. In this case, the purpose of key rotation is to contain data breach in case either a key is leaked or the encrypted data set is leaked and subject to brute force decryption attack. Common practices for key rotation:

• Time-bound key rotation: In this practice, keys are updated periodically.
• Transaction level key: In this practice, each transaction is encrypted with its own unique key, leading to higher level of data breach mitigation.

Making keys available to system: This is typically accomplished using a key management server. At its core, this server hands out (usually symmetric) keys to requesters based on parameters. The server might choose to either securely archive the generated keys for later retrieval, or ensure they keys are generated based on a fixed function guaranteed to generate the same key given the same set of parameters.

You can choose to write your own server or buy/license one. Licensing this component might be a better choice if you need to meet specific security compliance guideline and need the compliance items checked off. For off the shelf solutions, look at StrongAuth or Porticor as examples.