Device encryption key rotation

Question

Hi, 
 
 I have a question about the key rotation at the end of their lifetime. 
 as per audit review the following question came up and i am uncentain if we need to create a pollicy outside of sophos or if sophos already mannage this. 
 Keys are changed at the end of the defined cryptoperiod? 
 my questions are: 
 
 Does Sophos keep track of the lifetime of the key? (cryptoperiod) 
 Does Sophos auto renew the key (after cryptoperiod expires)? 
 My assumption: when storing new password a new key is generated. Is this correct? 
 
 I could not find this in any documentation. 
 
 best 
 
 jimmy

FormerMember · Accepted Answer

There are two keys in play here. The bulk encryption key that Bitlocker uses on the drive which is stored in the TPM and the Recovery key. 
 Central Device Encryption stores the Recovery Key and polls the new one when it is generated: https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/DEGroupPolicySettings.html 
 The bulk encryption key can be rotated (which is what I am assuming you are talking about based on your post) but CDE doesn't do that and doesn't monitor that action because it doesn't matter to it. The bulk key gets rotated, is stored onto the TPM, and a new Recovery Key is generated to get access to it, which is transmitted into Central. You now have access to the new bulk key through the stored recovery key. 
 Here is an article on how to rotate the bulk key: docs.microsoft.com/.../encrypt-devices

Device encryption key rotation

Top Replies