I have a question about the key rotation at the end of their lifetime.
as per audit review the following question came up and i am uncentain if we need to create a pollicy outside of sophos or if sophos already mannage this.
Keys are changed at the end of the defined cryptoperiod?
my questions are:
I could not find this in any documentation.
There are two keys in play here. The bulk encryption key that Bitlocker uses on the drive which is stored in the TPM and the Recovery key.
Central Device Encryption stores the Recovery Key and polls the…
You can store BitLocker recovery keys in Active Directory.
Hi Shweta, thanks for this update but does not give answer to these question
as one needs to know when cryptoperiod should expire. as sophos manages the keys. sophos could know the proposed lifetime.
1, 2 years etc. is this in any way defined / applicable here. or is lifetime, something a company needs to specify?
not talking about someone leaving company and has access to these keys. but in the auto-generation part.
Okay, we need to clarify a few things here.
Are you using Safeguard or Central Device Encryption?
Is your drive encrypted with Bitlocker?
Snr. New Product Introduction Engineer | CISSP | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS AlertsIf a post solves your question use the 'Verify Answer' link.
we are using sophos central encryption
currently we have bitlocker and filevault (macOS) enabled
Central Device Encryption stores the Recovery Key and polls the new one when it is generated: https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/DEGroupPolicySettings.html
The bulk encryption key can be rotated (which is what I am assuming you are talking about based on your post) but CDE doesn't do that and doesn't monitor that action because it doesn't matter to it. The bulk key gets rotated, is stored onto the TPM, and a new Recovery Key is generated to get access to it, which is transmitted into Central. You now have access to the new bulk key through the stored recovery key.
Here is an article on how to rotate the bulk key: docs.microsoft.com/.../encrypt-devices