Key rotation is the process of cycling the master keys of thread devices on a regular schedule or when the current master key is exposed, generally from the express android application. This is to ensure the master key cannot be used forever after its contents is known and keeps the thread network secure.
If the master key is exposed, a sync state will be set on the control system page in grid view labelled wireless network key rotation required.
Key rotation details can be found in the thread datasets view of grid view.
Next rotate at signifies that a key rotation is scheduled for the specified time and will begin to attempt to rotate the master key. This is automatically set to 7 days + time until midnight after the master key has been exposed.
Last attempt started signifies the last time we attempted to generate a new master key. If all of the requirements are met, the rotation should finish approximately 2 hours after this time. Hovering over this cell will give an approximate rotation time. If we attempt to generate a new master key and it fails for any reason, an issue will be set on the control system page in grid view labelled failed wireless key rotation.
A key rotation can also be scheduled from the right-click menu, or alternatively can be rotated immediately which should take 5 minutes to complete.
Requirements for a successful key rotation:
- The current time must be past the next rotate at time
- The control system must be online for at least 30 minutes
- The control system must have issues enabled and the comms error metric enabled
- There must not be more than 10% of total devices on the control system with a comms error issue