What Is the Data Encryption Key (DEK)?
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure Akamai Connection
- Configure AWS Connection
- Configure Azure Key Vault Connection
-
- Workload Identity Federation Authentication
- Workload Identity Federation - Azure Identity Provider Authentication
- Next-Gen Trust Security Generated Key Authentication
- User Permissions
- Workload Identity Federation Authentication
- Next-Gen Trust Security Generated Key Authentication
- User Permissions
- Supported OIDC Claims
-
-
-
- Working with the Built-in CA
- Add AWS Public CA
- Add AWS Private CA
- Add DigiCert One Certificate Authority
- Add Entrust
- Add GlobalSign Atlas
- Add GlobalSign MSSL
- Add GoDaddy
- Add Google Cloud Private CA
- Add a HID PKIaaS CA
- Add Certificate Manager - Self-Hosted
- Set Up an OpenSSL Certificate Authority Connector
- Create a Sectigo Certificate Manager Certificate Authority
- Add Zero Touch PKI
- Set Up Certificate Expiration Notifications
- Using a Custom DNS Provider
-
-
-
-
- Create an F5 BIG-IP LTM Machine
- Create a Microsoft Azure Private Key Vault Machine
- Create a Microsoft Azure Application Registration Machine
- Create a Microsoft IIS Machine
- Create a Microsoft Windows (PowerShell) Machine
- Create a Microsoft SQL Server Machine
- Create a Common KeyStore Machine
- Create a Citrix ADC Machine
- Create an Imperva WAF Machine
- Create a VMware NSX Advanced Load Balancer (AVI) Machine
- Create an A10 Thunder ADC Machine
- Create a Cloudflare Machine
- Create Kemp Virtual LoadMaster Machine
- Create a Palo Alto Panorama Machine
- Create a Radware Alteon Machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
- Provision Certificates to Radware Alteon
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing Certificate Lifecycle Settings
- Reissuing Certificates in Next-Gen Trust Security
- Downloading Certificates, Certificate Chains, and Keystores
- Retiring, Recovering, and Deleting Certificates
- Finding Certificates in the Certificate Inventory
- Importing Certificates from a CA Using EJBCA
- Domain-Based Validation for External Emails
-
- Create a Workload Identity Management or Discovery Agent Built-in Account
- Create an OCI Registry Built-in Account
- Create a Certificate Manager - Self-Hosted Built-in Account
- Create a Scanafi Built-in Account
- Toggling a Built-in Account on or Off
- Editing Built-in Accounts
- Deleting Existing Built-in Accounts
- Renew Existing Built-in Accounts
- Troubleshooting
What Is the Data Encryption Key (DEK)?
The Data Encryption Key (DEK) is a tenant-level encryption key used by VSatellites to protect sensitive data in Next-Gen Trust Security.
Some of the critical functions of the DEK include:
- Encrypting stored credentials for Next-Gen Trust Security integrations
- Encrypting private key material for certificates issued with Next-Gen Trust Security-generated private keys
- Supporting encryption compliance requirements
- Enabling recovery scenarios when VSatellites lose connectivity
The DEK is generated when you install your first VSatellite. That DEK is then
shared with all VSatellites that are subsequently installed in your network
so that all VSatellites use the same DEK.
The DEK is never stored in Next-Gen Trust Security in the cloud.
Important: Copies of the DEK reside in your VSatellites and are never stored in Next-Gen Trust Security in the cloud. This means that if you delete all of your VSatellites, the DEK is lost.
DEK Protection Modes
VSatellites support two tenant-level DEK protection modes:
Software-Based DEK (default)
- The DEK is generated when you install your first VSatellite.
- A copy of the DEK is stored on each VSatellite.
- The DEK can be backed up using vsatctl export.
- The DEK can be restored using the intended recovery workflow (when supported).
HSM-Protected DEK
- The DEK is generated and stored inside a Hardware Security Module (HSM).
- The DEK never leaves the HSM and is not transmitted to Next-Gen Trust Security.
- VSatellites interact with the HSM using the PKCS#11 standard.
- Exporting, importing, rotating, or recovering the DEK is not supported.
- Recovery relies on restoring access to the HSM and the existing DEK object.
Important (Tenant-level encryption setting): The selected DEK protection mode applies to all VSatellites in the tenant. After at least one VSatellite is deployed, the DEK protection mode cannot be changed unless all VSatellites are deleted.