Encryption Key Migration Wizard
In PR7, there are two databases:
- The "Primary Database" -- This database contains 99.9% of the information regarding the store. Products, categories, configuration, and order data.
- The "Private Key Database" -- This database contains only the encrypted private key component of order data encryption keypairs. PCI wants this data stored separately from the encrypted order data.
New PR7 installations prompt for the location of the separate private key database in setup.mvc.
Users that have upgraded from PR6 will still have the private key information stored in the primary database. The purpose of this wizard is to allow knowledgeable administrators to move the private key information to a separate private key database.
In our PA-DSS implementation guide, there are two allowable data storage configurations.
1. Primary MySQL database, separate MySQL private key database.
2. Primary MySQL database, separate MivaSQL private key database (on the webserver).
In either case the primary MySQL database must be a physically separate system than the webserver.
Again, those of you that upgraded from PR6 will have your private keys stored in the primary database. It's worth mentioning that if your primary database is MivaSQL, there's no point in running this wizard because you will not meet the requirements of our PA-DSS Implementation Guide without moving all of your data into a MySQL database (a task which is outside the scope of this wizard).
This leaves us with the following starting point: Primary database is MySQL, private keys are stored in primary database.
To migrate your private key information into a *different* MySQL database:
1. You or your server administrator must create an empty MySQL schema.
1a. This MySQL schema should be on a different physical server than the primary database, and should have a different password than the primary database.
2. Select "Move Private Keys into a MySQL database"
2a. The connection string is in the form <schema>@<mysql_server>
2b. The username and password were determined in step 1.
2c. Leave the flags field blank.
The wizard will try to keep you from hurting yourself. If you accidentally enter the same MySQL database connection information as your primary database, it will not allow you to proceed. If you enter connection information for a MySQL database that contains tables, it will not allow you to proceed.
To migrate your private key information into a MivaSQL database:
1. Select "Move Private Keys into a MivaSQL Database on the Web Server"
1a. For MivaSQL, the connection string is the name of the MivaSQL schema file. The default is mm5_privatekeys.dbf. You can safely use the default value.
1b. Leave the flags field blank.
Again, the wizard will try to keep you from hurting yourself. If the MivaSQL schema already exists, you will not be able to proceed. Also, the option to migrate to a MivaSQL private key database is not always present, to prevent filename collisions when the primary database is also MivaSQL.
Community forum post regarding this Encryption Key Migration Wizard