Link Search Menu Expand Document

Key Rotation

Cryptographic best practices mandate that no security credential is trusted forever. This includes your client WireGuard® keys. Fortunately, TunnelHound features a built-in key rotation and reminder engine that can be enabled per endpoint, that can make sure no key used to access your VPN is older than a configurable amount of time.

Setting up key rotation

You can enable key rotation on any existing endpoint. After the endpoint is created, navigate to the endpoint administration page by clicking on the Admin item and selecting Endpoints.

Endpoint item selected

Then, click on the endpoint you wish to enable key rotation on.

In the endpoint administration page, click on the checkbox in the Key rotation section to enable key rotation.

Key rotation section

In the key rotation period box, enter the maximum lifetime of a key in days. We think anywhere from 60 - 180 days is a reasonable key rotation period, but you may have different requirements. Click the save button when finished to save the changes.

That’s it! TunnelHound will automatically reset the credentials of any device that has not had new credentials created within the given number of days. To help your users remain compliant with your policy, an e-mail will be automatically sent to them reminding them that a key rotation is required with instructions on how to change their keys.