As a best practice, periodically refresh the
master key encryption by rotating the wrapping key that encrypts
it. The frequency of the rotation depends on your application. The
wrapping key resides on your HSM. The following command is the same
for SafeNet Network and nCipher nShield Connect HSMs.
Use the following CLI command to rotate the wrapping key
for the master key on an HSM:
> request hsm mkey-wrapping-key-rotation
the master key is encrypted on the HSM, the CLI command will generate
a new wrapping key on the HSM and encrypt the master key with the
new wrapping key.
If the master key is not encrypted on the
HSM, the CLI command will generate new wrapping key on the HSM for
The old wrapping key is not deleted by this command.