Skip to main content

security key-manager external aws rekey-external

Contributors
Suggest changes

Rekey an external key of the Vserver

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

This command replaces the existing AWS KMS key encryption key (KEK) and results in the key hierarchy being protected by the new user specified AWS KMS KEK. Prior to running this command, the user should have already made the necessary changes on the AWS KMS Portal to use the new KEK. Upon successful completion of this command, the internal keys for the given Vserver will be protected by the new AWS KMS KEK.

Parameters

-vserver <Vserver Name> - Vserver

This parameter specifies the Vserver for which ONTAP should rekey the AWS KMS KEK

-key-id <text> - AWS Key ID

This parameter specifies the key ID of the new AWS KMS KEK that should be used by ONTAP for the provided Vserver. In the case of automatic AWS KMS KEK rotation, the key ID will be the identifier of the user's already existing AWS KMS Customer Managed Key (CMK). In the case of manual AWS KMS KEK rotation, the key ID will be the identifier of the user's new AWS KMS CMK.

Examples

The following command rekeys the AWS KMS KEK for data Vserver vs1 using a new key-id key3.

cluster-1::> security key-manager external aws rekey-external -vserver vs1 -key-id  key3