Sombra key rotations

How to rotate your encryption keys in Transcend.

📘

Rotating keys is a security best practice

NIST recommends rotating keys once a year.

Transcend allows you to rotate all the keys used by Sombra, granting you greater control over the security of your DSR automation flow.

🚧

Important Information

Sombra remembers the four (4) latest sets of keys. Older keys are "forgotten".

Hosted Sombra

If Transcend hosts your Sombra instance, you can rotate the keys by following these steps:

  1. Navigate to "Settings > Sombra" on your admin dashboard
  2. Scroll to the "Hosted Sombra Keys" section
  3. Click on the "Rotate Sombra Keys" button
  1. Once the keys are finished rotating, you will be presented with your new INTERNAL_KEY. You will need to copy it down, as it will be lost once the modal is closed.
  1. After the modal closes, you will be redirected to the login page for the new keys to take effect.

On-premise Sombra

If you host your organization's Sombra instance, you can rotate your keys by following the steps outlined in CONFIGURATION.md file in the Sombra package.

The rotated keys

In the key rotation process, we rotate two keys, the INTERNAL_KEY, and the JWT_ECDSA_KEY.

INTERNAL_KEY

If you'd like for your internal application to authenticate with Sombra's internal API, you can do so by generating a symmetric key, called the INTERNAL_KEY. This key is then supposed to be sent as a Bearer token, with the x-sombra-authentication header.

JWT_ECDSA_KEY

This is an asymmetric JSON web token key for signing Sombra payloads using the Elliptic Curve Digital Signature Algorithm. This key is also used to derive other encryption keys used in the different parts of the data-subject request resolution process.

After rotating keys in Sombra

Transcend allows for keys related to data subject requests, and their associated data silos, to be rotated. Once your keys have been successfully rotated in Sombra, it is recommended you update your data silos and failing data-subject requests to use the latest keys.

While there's no harm in letting existing requests continue to use older keys, there's a chance that a request might fail due to its associated set of encryption keys being dropped (Sombra remembers the last four keys).

🚧

Reminder

We recommend you update your data silos to use the latest set of encryption keys, immediately after rotating your Sombra instance's keys, as failing to do so might lead to a "locked" data silo, i.e., one encrypted with a set of keys that has been dropped as part of the most recent key rotation.

You can afford to let requests continue to use older sets of encryption keys as those are shorter-lived instances, compared to a data silo which is common across requests.

Update Requests

  1. Navigate to "Settings > Sombra" on your admin dashboard
  2. Scroll down to the "Request Security" section of the page
  3. Click on the "Re-Sign Encryption Contexts" button to update any requests that are failing due to the error Request's encryption context has expired...

Update Data Silos

  1. Navigate to "Settings > Sombra" on your admin dashboard
  2. Scroll down to the "Request Security" section of the page
  3. Click on the "Re-Sign SaaS Contexts" button to update all data silos in your organization