Migrating an internal KMS to an external KMS

Content Platform for Cloud Scale Administration Guide

File Size
1945 KB
Part Number

Administrators with the appropriate permissions can migrate their internal KMS to an external HCP for cloud scale system. The process copies all existing key encryption keys (KEKs), including their versions. Once initiated, the transfer is immediate and irreversible. Ongoing S3 activity is not disrupted and all bucket owner encryption settings are maintained. After its completion, the encryption options available in the Object Storage Management UI will permanently change, allowing administrators to manage the new external KMS.

This one-time migration is only available through the MAPI. For more information, see the HCP for cloud scale API Reference Guide.


  • The system must have a valid DARE license.

  • The internal KMS must already be configured

  • The internal KMS must be unsealed.

  • The external KMS must be available, with the client certificate already loaded.

  • The admin user must have the correct permissions to conduct this action.

Related API

POST https://host_ip:9099/mapi/v1/kmip/migrate_server