Changing the primary external KMS server

Content Platform for Cloud Scale Administration Guide

Version
2.6.x
File Size
1945 KB
Audience
anonymous
Part Number
MK-HCPCS008-10

You can use the Object Storage Management application or an API method to promote a secondary external KMS server to the primary role.

The HCP for cloud scale system has read/write access to the primary external KMS server, but only read access to secondary external KMS servers. With read access a KMS server can provide storage component KEKs. With write access new KEKs can be added.

Any external KMS server designated as a secondary server can be promoted to a primary server. Promoting a secondary server demotes the existing primary server to secondary status.

Normally, KEKs are synchronized between the primary server and any secondary servers. If a secondary server is promoted but has an incomplete set of KEKs, HCP for cloud scale tries to populate missing KEKs using cached KEKs. If the promoted server cannot produce a KEK and the KEK is not cached, then all data associated with the missing KEK remains unavailable until the previous primary server is repaired and populates the newly promoted primary server with the missing KEK.