This article applies to Trust Protection Platform 16.4 and later.
If you want to use a custom encryption key for ssh items in a policy folder, you need to register a new key with the system.
Trust Protection Platform does not currently have a feature to allow you to generate a custom encryption key, but you can use the procedure described in this article to force the creation of a new key by the system.
Register a custom encryption key
- Log in to the Windows server that hosts Trust Protection Platform.
- Open the Windows Registry Editor by opening the Run dialog and typing:
Regedit - Browse to the following registry folder:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Venafi\DPAPI - Locate the key with the name 'Default' and the type of 'REG_BINARY'
- Rename this key to 'Good'. (The name doesn't matter, but if you use a different name, replace it in the following steps.
- Back on the Windows desktop, open and then close the Windows Administration Console.
On startup, the system will look for the key named 'Default'. If it isn't there, it will re-create it. - Go back to the same folder in the Registry Editor. A new key named 'Default' will be there.
- Rename 'Default' to whatever name you want the new key to have.
For this example, we'll call it 'NewSecurityKey'. - Rename 'Good' to 'Default'.
At the end of this process, you should have two separate REG_BINARY keys. One called 'Default' and one with the name you used.
You can repeat this process as many times as you need to generate additional keys.
Comments