In addition, a Key must be replaced if its integrity has possibly been compromised or when a Key custodian leaves the company.
To rotate Keys, you need to have two active Keys in the system. Drop the Key which you want to retire (your cardholder data remains securely encrypted with the second Key) and then generate a new Key.
CloudBlue Commerce will automatically re-encrypt the cardholder data with the new key. All the data encrypted with the dropped Key is overwritten.
After Key rotation, the Key custodian must securely delete any traces of the dropped Key (Private Key and Passphrase) outside CloudBlue Commerce (as per PCI DSS requirement 3.6.5). For Linux, we recommend using the shred tool.
Note: Only users with the KEY_CUSTODIAN privilege can generate new encryption Keys – you must ensure that nobody except your Key custodians have this privilege to prevent unauthorized substitution of your encryption Keys.