To retire a master key, follow the sequence of JMX operations below:
-
On the JConsole window, select the
MBeans tab.
The available managed beans are displayed in JConsole.
-
Navigate to Alfresco > Configuration > ContentStore > managed >
encrypted > Operations.
The Operation invocation window is displayed.
-
For operation revokeMasterKey, enter the alias of the
master key to be revoked as parameter p1 and click
revokeMasterKey.
The relevant master key won’t be used for encryption.
-
For operation reEncryptSymmetricKeys, enter the alias of
the revoked master key as parameter p1 and click
reEncryptSymmetricKeys.
This will reencrypt the symmetric keys of this master key with a new master key.
- Click showMasterKeys to check that there are no outstanding symmetric keys for the revoked master key and that the total number of files that were encrypted using the revoked master key is zero.
- Click stop to stop the Encrypted content store subsystem.
- Remove the relevant alias and related password from MBeans > Alfresco > Configuration > ContentStore > managed > encrypted > Attributes > Attribute values window.
-
Click start to restart and reinitialize the Encrypted
Content Store subsystem.
Note: If you update or remove a master key using the JMX client on an Enterprise installation, those updates override the values in the alfresco-global.properties file. Alternatively, one can delete the master key alias and password by editing the alfresco-global.properties file and restarting the repository.Note: Key revocation is not persisted. If you restart this subsystem (or Alfresco) between revoking a master key (Step 3) and removing that key (Step 7), the key will be used again for encryption when this subsystem is initialized again from the key alias list.