Initiating rekeying

Content Platform for Cloud Scale Administration Guide

Version
2.6.x
File Size
1950 KB
Audience
anonymous
Part Number
MK-HCPCS008-11

You can use the Object Storage Management application or an API method to initiate rekeying of key encryption keys (KEKs).

You can change (or rekey) KEKs for either internal or external encryption at any time. This function supports either routine rekeying according to a security policy or rekeying on demand (because, for example, of a data compromise). When you initiate rekeying, the system logs the time and reason for the request. The system displays a history of rekey operations.

Superseded keys are marked as deactivated but not removed.

Generating new KEKs takes several seconds for each encrypted storage component. Rewrapping object data encryption keys (DEKs) takes longer but proceeds in the background.