Skip to main content

security key-manager external restore

Contributors
Suggest changes

Restore the key ID pairs from the key management servers.

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

This command retrieves and restores any current unrestored keys associated with the storage controller from the specified key management servers. When restoring keys from the external key manager associated with the admin Vserver, you must run the same command on the peer cluster. When restoring keys from a data Vserver, you can run the security key-manager external restore command on the active cluster only as the command is replicated on the peer cluster. This command is not supported when external key management has not been enabled for the Vserver. This command only restores keys from primary key servers.

Parameters

{ [-fields <fieldname>,…​]

If you specify the -fields <fieldname>, …​ parameter, the command output also includes the specified field or fields. You can use '-fields ?' to display the fields to specify.

| [-instance ] }

If you specify the -instance parameter, the command displays detailed information about all fields.

[-node {<nodename>|local}] - Node

This parameter specifies the name of the node that will load unrestored key IDs into its internal key table. If not specified, all nodes retrieve unrestored keys into their internal key table.

[-vserver <vserver name>] - Vserver Name

This parameter specifies the Vserver for which to list the keys. If not specified, this command restores key for all Vservers.

[-key-server <Hostname and Port>] - Key Server

If this parameter is specified, this command restores keys from the key management server identified by the host and port. If not specified, this command restores keys from all available key management servers.

[-key-id <Hex String>] - Key ID

If you specify this parameter, then the command restores only the key IDs that match the specified value.

[-key-tag <text>] - Key Tag

If you specify this parameter, then the command restores only the key IDs that match the specified key-tag. The key-tag for Volume Encryption Keys (VEKs) is set to the UUID of the encrypted volume. If not specified, all key ID pairs for any key tags are restored.

Examples

The following command restores keys that are currently on a key server but are not stored within the key tables on the cluster. One key is missing for vserver clus- ter-1 on node1, and another key is missing for vserver datavs on node1 and node2:

cluster-1::> security key-manager external restore
Node: node1
            Vserver: cluster-1
         Key Server: 10.0.0.1:5696

Key ID
 --------------------------------------------------------------------------------
00000000000000000200000000000100a04fc7303d9abd1e0f00896192fa9c3f0000000000000000
Node: node1
            Vserver: datavs
         Key Server: tenant.keysever:5696
Key ID
 --------------------------------------------------------------------------------
00000000000000000200000000000400a05a7c294a7abc1e0911897132f49c380000000000000000
Node: node2
            Vserver: datavs
         Key Server: tenant.keysever:5696

Key ID
 --------------------------------------------------------------------------------
00000000000000000200000000000400a05a7c294a7abc1e0911897132f49c380000000000000000