Generating Keys for Encryption

Two keys have to be created for correct operation of the PCI dss encryption. A Key Management encryption key and an actual Encryption key.

Key Management key

In the Control Center go to 'Security Configuration -> Encryption -> tab Key manager'. On first time configuration there should be a warning message 'Secure storage available. Specify pass phrase' in the color red as shown below.

 

Enter a pass phrase with a minimum length of 20 characters in the Pass phrase field. Again enter the same pass phrase in the 'Verify pass phrase' field as shown below. Then click the 'Create secure storage' button. On success the warning message will change into 'Secure Storage available' in the color green as shown.




Entering the pass phrase is a one time operation, once entered revisiting the tab the message will show 'Secure Storage available' in the color green and the pass phrase cannot be altered.

Encryption Keys

Next an Encryption Keys has to be created. Go to the tab Encryption and enter a pass phrase with a minimum length of 20 characters in the 'Pass phrase' field. Again enter the same pass pass phrase in the 'Verify pass phrase' field as shown below.




Next click the 'Create key' button to create the actual Encryption Key. On success the message 'Encryption key', will change into 'Encryption key available' as shown.




Later more Encryption Keys can be created, but bear in mind that when creating new encrypted database fields in an application, always the latest created Encryption Key will be used for that field. So once an encrypted database field has been created it will always use the Encryption Key that was latest at the moment of creation of the encrypted database field, although many new Encryption Keys may have been created since.