Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 7 subscribers
  • Views 15974 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Device encryption key rotation

jimmyvdbergh

Hi, 

I have a question about the key rotation at the end of their lifetime. 

as per audit review the following question came up and i am uncentain if we need to create a pollicy outside of sophos or if sophos already mannage this. 

Keys are changed at the end of the defined cryptoperiod? 

my questions are: 

  1. Does Sophos keep track of the lifetime of the key? (cryptoperiod)
  2. Does Sophos auto renew the key (after cryptoperiod expires)?
  3. My assumption: when storing new password a new key is generated. Is this correct?

 I could not find this in any documentation. 

best 

jimmy



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Shweta

    Hi Shweta, thanks for this update but does not give answer to these question

    1. Does Sophos keep track of the lifetime of the key? (cryptoperiod)
    2. Does Sophos auto renew the key (after cryptoperiod expires)?

    as one needs to know when cryptoperiod should expire. as sophos manages the keys. sophos could know the proposed lifetime. 

    1, 2 years etc. is this in any way defined / applicable here. or is lifetime, something a company needs to specify? 

    not talking about someone leaving company and has access to these keys. but in the auto-generation part. 

    best,

    jimmy

  • FormerMember
    0 FormerMember in reply to jimmyvdbergh

    Okay, we need to clarify a few things here.

    Are you using Safeguard or Central Device Encryption?

    Is your drive encrypted with Bitlocker?

  • 0 in reply to FormerMember

    Hi Richard,

    we are using sophos central encryption 

    currently we have bitlocker and filevault (macOS) enabled

    best 

    jimmy 

  • FormerMember
    +1 FormerMember in reply to jimmyvdbergh

    There are two keys in play here. The bulk encryption key that Bitlocker uses on the drive which is stored in the TPM and the Recovery key.

    Central Device Encryption stores the Recovery Key and polls the new one when it is generated: https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/DEGroupPolicySettings.html

    The bulk encryption key can be rotated (which is what I am assuming you are talking about based on your post) but CDE doesn't do that and doesn't monitor that action because it doesn't matter to it. The bulk key gets rotated, is stored onto the TPM, and a new Recovery Key is generated to get access to it, which is transmitted into Central. You now have access to the new bulk key through the stored recovery key.

    Here is an article on how to rotate the bulk key: docs.microsoft.com/.../encrypt-devices

Unfiltered HTML