Sombra Key Rotations

NIST recommends rotating keys once a year.

Transcend allows you to rotate all the keys used by Sombra, granting you greater control over your security practices when using Transcend.

Sombra remembers the four (4) latest sets of keys. Older keys are "forgotten".

If Transcend hosts your Sombra instance, you can rotate the keys by following these steps:

  1. Navigate to "Settings > Sombra" on your Admin Dashboard
  2. Scroll to the "Hosted Sombra Keys" section
  3. Click on the "Rotate Sombra Keys" button
  4. Once the keys are finished rotating, you will be presented with your new INTERNAL_KEY. You will need to copy it down, as it will be lost once the modal is closed.
  5. After the modal closes, you will be redirected to the login page for the new keys to take effect.

If you host your organization's Sombra instance, you can rotate your keys by following the steps outlined in CONFIGURATION.md file in the Sombra package.

In the key rotation process, we rotate two keys, the INTERNAL_KEY, and the JWT_ECDSA_KEY.

If you'd like for your internal application to authenticate with Sombra's internal API, you can do so by generating a symmetric key, called the INTERNAL_KEY. This key is then supposed to be sent as a Bearer token, with the x-sombra-authentication header.

This is an asymmetric JSON web token key for signing Sombra payloads using the Elliptic Curve Digital Signature Algorithm. This key can also be used to derive other encryption keys used in Sombra.

Transcend allows for keys related to data subject requests, and their associated integrations, to be rotated. Once your keys have been successfully rotated in Sombra, it is recommended you update your integrations and failing data-subject requests to use the latest keys.

While there's no harm in letting existing requests continue to use older keys, there's a chance that a request might fail due to its associated set of encryption keys being dropped (Sombra remembers the last four keys).

We recommend you update your integrations to use the latest set of encryption keys, immediately after rotating your Sombra instance's keys, as failing to do so might lead to a "locked" integration, i.e., one encrypted with a set of keys that has been dropped as part of the most recent key rotation.

You can afford to let requests continue to use older sets of encryption keys as those are shorter-lived instances, compared to an integration which is common across requests.

  1. Navigate to "Settings > Sombra" on your Admin Dashboard
  2. Scroll down to the "Request Security" section of the page
  3. Click on the "Re-Sign Encryption Contexts" button to update any requests that are failing due to the error Request's encryption context has expired...
  1. Navigate to "Settings > Sombra" on your Admin Dashboard
  2. Scroll down to the "Request Security" section of the page
  3. Click on the "Re-Sign SaaS Contexts" button to update all integrations in your organization