Rekey software encryption at rest master key
Suggest changes
PDFs
You can use the Element API to rekey an existing key. This process creates a new replacement master key for your external key management server. Master keys are always replaced by new master keys and never duplicated or overwritten.
You might need to rekey as part of one of the following procedures:
-
Create a new key as part of a change from internal key management to external key management.
-
Create a new key as a reaction to or as protection against a security-related event.
|
This process is asynchronous and returns a response before the rekey operation is complete. You can use the GetAsyncResult method to poll the system to see when the process has completed. |
-
You have enabled software encryption at rest using the CreateCluster method on a new cluster that does not contain volumes and has no I/O. Use
GetSoftwareEncryptionatRestInfoto confirm that the state isenabledbefore proceeding. -
You have established a trust relationship between the SolidFire cluster and an External Key Server (EKS). Run the TestKeyProviderKmip method to verify that a connection to the key provider is established.
-
Run the ListKeyProvidersKmip command and copy the key provider ID (
keyProviderID). -
Run the RekeySoftwareEncryptionAtRestMasterKey with the
keyManagementTypeparameter asexternalandkeyProviderIDas the ID number of the key provider from the previous step:{ "method": "rekeysoftwareencryptionatrestmasterkey", "params": { "keyManagementType": "external", "keyProviderID": "<ID number>" } } -
Copy the
asyncHandlevalue from theRekeySoftwareEncryptionAtRestMasterKeycommand response. -
Run the GetAsyncResult command with the
asyncHandlevalue from the previous step to confirm the change in configuration. From the command response, you should see that the older master key configuration has been updated with new key information. Copy the new key provider ID for use in a later step.{ "id": null, "result": { "createTime": "2021-01-01T22:29:18Z", "lastUpdateTime": "2021-01-01T22:45:51Z", "result": { "keyToDecommission": { "keyID": "<value>", "keyManagementType": "internal" }, "newKey": { "keyID": "<value>", "keyManagementType": "external", "keyProviderID": <value> }, "operation": "Rekeying Master Key. Master Key management being transferred from Internal Key Management to External Key Management with keyProviderID=<value>", "state": "Ready" }, "resultType": "RekeySoftwareEncryptionAtRestMasterKey", "status": "complete" } -
Run the
GetSoftwareEncryptionatRestInfocommand to confirm that new key details, including thekeyProviderID, have been updated.{ "id": null, "result": { "masterKeyInfo": { "keyCreatedTime": "2021-01-01T22:29:18Z", "keyID": "<updated value>", "keyManagementType": "external", "keyProviderID": <value> }, "rekeyMasterKeyAsyncResultID": <value> "status": "enabled", "version": 1 }, }