What is the Data Encryption Key (DEK)?¶
The Data Encryption Key (DEK) is a tenant-level encryption key used by VSatellites to protect sensitive data in Certificate Manager - SaaS.
Some of the critical functions of the DEK include:
- Encrypting stored credentials for Certificate Manager - SaaS integrations
- Encrypting private key material for certificates issued with Certificate Manager - SaaS-generated private keys
- Supporting encryption compliance requirements
- Enabling recovery scenarios when VSatellites lose connectivity
The DEK is generated when you install your first VSatellite. That DEK is then shared with all VSatellites that are subsequently installed in your network so that all VSatellites use the same DEK.
The DEK is never stored in Certificate Manager - SaaS in the cloud.
Important
Copies of the DEK reside in your VSatellites and are never stored in Certificate Manager - SaaS in the cloud. This means that if you delete all of your VSatellites, the DEK is lost.
DEK protection modes¶
VSatellites support two tenant-level DEK protection modes:
Software-based DEK (default)¶
- The DEK is generated when you install your first VSatellite.
- A copy of the DEK is stored on each VSatellite.
- The DEK can be backed up using
vsatctl export. - The DEK can be restored using the intended recovery workflow (when supported).
HSM-protected DEK¶
- The DEK is generated and stored inside a Hardware Security Module (HSM).
- The DEK never leaves the HSM and is not transmitted to Certificate Manager - SaaS.
- VSatellites interact with the HSM using the PKCS#11 standard.
- Exporting, importing, rotating, or recovering the DEK is not supported.
- Recovery relies on restoring access to the HSM and the existing DEK object.
Tenant-level encryption setting
The selected DEK protection mode applies to all VSatellites in the tenant.
After at least one VSatellite is deployed, the DEK protection mode cannot be changed unless all VSatellites are deleted.