The Importance of Key Recycling for your MOVEit solution

Key recycling, also known as key rotation, is the practice of exchanging current encryption keys with new ones on a regular basis. This is done to improve system security and protect encryption keys from being compromised. MOVEit Transfer supports key rotation, which can be set to happen automatically on a regular schedule, such as every 90 days for example.  

The Encryption Key Rotation Manager helps System Administrators refresh their “at rest” encryption key scheme. To manage the rotation, a focused UI provides a time-to-complete estimate, work schedule, pause/resume, and passphrase generation controls, all while MOVEit Transfer is still running in live production mode. 

This functionality is available as of the 2021.0 release, and only SysAdmin users have access to the Encryption Keys page for added security reasons. 

It's critical to note that key rotation should be planned correctly to avoid interfering with the file transfer process. During normal production operations, the MOVEit Transfer server's encryption performance demands are naturally minimal. Items added to the filestore are encrypted on the fly. When you re-encrypt a MOVEit Transfer filestore that has been built up over time with hundreds or thousands of files, this large-volume, batch encryption increases CPU workload, perhaps for several hours or more. You can reduce the system's latency by scheduling appropriately, scaling out, and informing users who may experience lag when interacting with MOVEit Transfer. 

The Key Management Interface can deploy a rotation schedule, launch the key rotation process directly, or launch and apply a schedule. When file re-encryption work completes, MOVEit Transfer notifies administrators by email. Key conversion runs in the background. 

Using the Key Management Dashboard, users can: 

  • View the history of organization-wide encryption key rotation. 
  • Get a helpful time-to-complete estimate.
  • Launch re-encryption work right now, in off-hours, or as appropriate (override with
  • Pause and restart the conversion process. 
  • Get reminders on paused or pending rotations. 
  • Get completion summaries, alerts, and reports on completed rotations. 

To start key rotation in MOVEit Transfer, follow these steps: 

  • Log in to the MOVEit Transfer admin interface as a Sysadmin user. 
  • Click on "Orgs" in the left-hand side menu
  • Select the required "Org".
  • Click "Manage Org Encryption keys"
  • Click "Begin Key Rotation Process", this will give you an estimate of the time to complete the key rotation process. 
  • Click "Continue" if you're happy with the estimate. 
  • Create a passphrase and click "Continue". 
  • Edit the schedule as required and click "Start Rotation". 
  • Click "Start Rotation" to confirm. 

It's important to note that rotating keys should be done regularly to maintain security. Also, be sure to carefully manage and store your keys, as they are critical to securing your data. 

Progress documentation: 

Encryption Keys - 

Post Conversion Guidelines - 




    About the Author:



Helder Vieira is the Technical Support Analyst at Pro2col, who enjoys getting to grips with the latest MFT platforms to better help solve client queries.

He prides himself as a real team player and is the first to step in to offer any assistance. These values also apply outside of work. 

Find out more about Helder here.