security key-manager external restore
Restore the key ID pairs from the key management servers.
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
This command retrieves and restores any current unrestored keys associated with the storage controller from the specified key management servers. When restoring keys from the external key manager associated with the admin Vserver, you must run the same command on the peer cluster. When restoring keys from a data Vserver, you can run the security key-manager external restore
command on the active cluster only as the command is replicated on the peer cluster. This command is not supported when external key management has not been enabled for the Vserver. This command only restores keys from primary key servers.
Parameters
- {
[-fields <fieldname>,…]
-
If you specify the
-fields <fieldname>, …
parameter, the command output also includes the specified field or fields. You can use '-fields ?' to display the fields to specify. - |
[-instance ]
} -
If you specify the
-instance
parameter, the command displays detailed information about all fields. [-node {<nodename>|local}]
- Node-
This parameter specifies the name of the node that will load unrestored key IDs into its internal key table. If not specified, all nodes retrieve unrestored keys into their internal key table.
[-vserver <vserver name>]
- Vserver Name-
This parameter specifies the Vserver for which to list the keys. If not specified, this command restores key for all Vservers.
[-key-server <Hostname and Port>]
- Key Server-
If this parameter is specified, this command restores keys from the key management server identified by the host and port. If not specified, this command restores keys from all available key management servers.
[-key-id <Hex String>]
- Key ID-
If you specify this parameter, then the command restores only the key IDs that match the specified value.
[-key-tag <text>]
- Key Tag-
If you specify this parameter, then the command restores only the key IDs that match the specified key-tag. The key-tag for Volume Encryption Keys (VEKs) is set to the UUID of the encrypted volume. If not specified, all key ID pairs for any key tags are restored.
Examples
The following command restores keys that are currently on a key server but are not stored within the key tables on the cluster. One key is missing for vserver clus- ter-1 on node1, and another key is missing for vserver datavs on node1 and node2:
cluster-1::> security key-manager external restore Node: node1 Vserver: cluster-1 Key Server: 10.0.0.1:5696 Key ID -------------------------------------------------------------------------------- 00000000000000000200000000000100a04fc7303d9abd1e0f00896192fa9c3f0000000000000000 Node: node1 Vserver: datavs Key Server: tenant.keysever:5696 Key ID -------------------------------------------------------------------------------- 00000000000000000200000000000400a05a7c294a7abc1e0911897132f49c380000000000000000 Node: node2 Vserver: datavs Key Server: tenant.keysever:5696 Key ID -------------------------------------------------------------------------------- 00000000000000000200000000000400a05a7c294a7abc1e0911897132f49c380000000000000000