Refresh the Master Key Encryption

As a best practice, periodically refresh the master key encryption by rotating the wrapping key that encrypts it. The frequency of the rotation depends on your application. The wrapping key resides on your HSM. The following command is the same for SafeNet Network and Thales nShield Connect HSMs.
  1. Log in to the firewall CLI.
  2. Use the following CLI command to rotate the wrapping key for the master key on an HSM:
    > request hsm mkey-wrapping-key-rotation
    If the master key is encrypted on the HSM, the CLI command will generate a new wrapping key on the HSM and encrypt the master key with the new wrapping key.
    If the master key is not encrypted on the HSM, the CLI command will generate new wrapping key on the HSM for future use.
    The old wrapping key is not deleted by this command.

Related Documentation