What is the Data Encryption Key (DEK)?
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure AWS connection
- Configure Azure Key Vault connection
-
- Workload Identity Federation authentication
- Workload Identity Federation - Azure Identity Provider authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Workload Identity Federation authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Supported OIDC claims
-
-
-
-
- Create an F5 BIG-IP LTM machine
- Create a Microsoft Azure Private Key Vault machine
- Create a Microsoft IIS machine
- Create a Microsoft Windows (PowerShell) machine
- Create a Microsoft SQL Server machine
- Create a Common KeyStore machine
- Create a Citrix ADC machine
- Create an Imperva WAF machine
- Create a VMware NSX Advanced Load Balancer (AVI) machine
- Create an A10 Thunder ADC machine
- Create a Cloudflare machine
- Create Kemp Virtual LoadMaster machine
- Create a Palo Alto Panorama machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing certificate lifecycle settings
- Reissuing certificates in Next-Gen Trust Security
- Downloading certificates, certificate chains, and keystores
- Retiring, recovering, and deleting certificates
- Finding certificates in the certificate inventory
- Importing certificates from a CA using EJBCA
- Notification Center overview
- Domain-based validation for external emails
- Managing user accounts
- Troubleshooting
What is the Data Encryption Key (DEK)?
The Data Encryption Key (DEK) is a tenant-level encryption key used by VSatellites to protect sensitive data in Next-Gen Trust Security.
Some of the critical functions of the DEK include:
- Encrypting stored credentials for Next-Gen Trust Security integrations
- Encrypting private key material for certificates issued with Next-Gen Trust Security-generated private keys
- Supporting encryption compliance requirements
- Enabling recovery scenarios when VSatellites lose connectivity
The DEK is generated when you install your first VSatellite. That DEK is then
shared with all VSatellites that are subsequently installed in your network
so that all VSatellites use the same DEK.
The DEK is never stored in Next-Gen Trust Security in the cloud.
Important: Copies of the DEK reside in your VSatellites and are never stored in Next-Gen Trust Security in the cloud. This means that if you delete all of your VSatellites, the DEK is lost.
DEK protection modes
VSatellites support two tenant-level DEK protection modes:
Software-based DEK (default)
- The DEK is generated when you install your first VSatellite.
- A copy of the DEK is stored on each VSatellite.
- The DEK can be backed up using vsatctl export.
- The DEK can be restored using the intended recovery workflow (when supported).
HSM-protected DEK
- The DEK is generated and stored inside a Hardware Security Module (HSM).
- The DEK never leaves the HSM and is not transmitted to Next-Gen Trust Security.
- VSatellites interact with the HSM using the PKCS#11 standard.
- Exporting, importing, rotating, or recovering the DEK is not supported.
- Recovery relies on restoring access to the HSM and the existing DEK object.
Important (Tenant-level encryption setting): The selected DEK protection mode applies to all VSatellites in the tenant. After at least one VSatellite is deployed, the DEK protection mode cannot be changed unless all VSatellites are deleted.