Adding or updating a KMS using the CLI

Content Software for File CLI Reference

Version
4.2.x
Audience
anonymous
Part Number
MK-HCSF001-03

Command

weka security kms set

Use the following command line to add or update the Vault KMS configuration in the Content Software for File system.

weka security kms set <type> <address> <key-identifier> [--token token] [--namespace namespace] [--client-cert client-cert] [--client-key client-key] [--ca-cert ca-cert]

Parameters

Name Type Value Limitations Mandatory Default
type String Type of the KMS Either vault or kmip Yes  
address String KMS server address URL for Vault, hostname:port for KMIP Yes  
key-identifier String Key to be used for encryptionas-aservice in the KMS Key name (for Vault) or a key UID (for KMIP) Yes  
token String API token to access Vault KMS Must have:

Read permissions to transit/keys/<master-key-name>

write permissions to transit/encrypt/<master-keyname> and

transit/decrypt/<masterkeyname> permissions to /transit/rewrap and auth/token/lookup

Must be supplied for Vault and must not be supplied for kmip  
namespace   The vault's namespace name.

Namespace names must not end with "/", avoid spaces, and refrain from using reserved names like root, sys, audit, auth, cubbyhole, and identity.

(Available from v4.2.7.)
   
client-cert String Path to the client certificate PEM file Must permit encrypt and decrypt permissions Must be supplied for kmip and must not be supplied for Vault  
client-key String Path to the client key PEM file   Must be supplied for kmip and must not be supplied for vault  
ca-cert String Path to the CA certificate PEM file   Optional for kmip and must not be supplied for vault  
Note: For the add or update command to succeed, the KMS should be preconfigured and available with the key and a valid token.
For example: Setting the Content Software for File system with a Vault KMS:
weka security kms set vault https://vault-dns:8200 weka-key --token s.nRucA9Gtb3yNVmLUK221234

Setting the Content Software for File system with a KMIP complaint KMS (for example, SmartKey):

weka security kms set kmip amer.smartkey.io:5696 b2f81234-c0f6-4d63-b5b3-84a82e231234 --client-cert smartkey_cert.pem --client-key smartkey_key.pem