Rotate Keys

This guide shows how to rotate PureKit-related keys. There can never be enough security, so you should rotate your sensitive data regularly (about once a week).

Also, use this flow in case your database has been COMPROMISED!

Use this workflow to get an update_token for updating encryption keys in your database and to get a new app_secret_key and service_public_key for your application.

Learn more about Pure Records and keys rotation as a part of Post-Compromise Security in this guide.

Get your update token

Navigate to your Virgil Application panel at Virgil Dashboard and, after pressing "BEGIN ROTATION PROCESS" press “SHOW UPDATE TOKEN” button to get the update_token (UT).

Initialize PureKit with the update token

Move to PureKit configuration file and specify your update_token (UT):

PureContext context = PureContext.createContext(

Pure pure = new Pure(context);

Start migration

If using Virgil Cloud

If you're using Virgil Cloud for storing users' encrypted passwords and encryption keys, then simply continue the rotation process at the Virgil Dashboard by clicking "CONTINUE KEYS ROTATION" and following the instructions.

If using custom storage

If you're using a custom storage, run the performRotation function:

Pure.RotationResults results = pure.performRotation();

Note! You don't need to ask your users for a new password.

Note! The SDK is able to work with two versions of a user's password record (old and new). This means that if a user logs into your system while you're performing the migration, the PureKit SDK will verify their password without any problems.

Download CLI

After you've updated your database records, it's required to update (rotate) your application credentials. For security reasons, you need to use the Virgil CLI utility.

Rotate app secret key

Use Virgil CLI update-keys command and your update_token (UT) to update the app_secret_key (SK) and service_public_key (PK):

virgil purekit update-keys PK.*** SK.*** UT.***

Configure PureKit with new credentials

If you are using your own storage, you have to navigate to PureKit configuration and replace your previous app_secret_key, service_public_key with the new ones.

It is necessary to delete update_token and the previous app_secret_key, service_public_key after rotation for security reasons.

Here is an example of how to configure PureKit with the new credentials:

PureContext context = PureContext.createContext(

Pure pure = new Pure(context);