Re-wrapping filesystem keys using the CLI

Content Software for File CLI Reference

Version
4.2.x
Audience
anonymous
Part Number
MK-HCSF001-03

Command

weka security kms rewrap

If the KMS key is compromised or requires rotation, the KMS admin can rotate the key in the KMS. In such cases, this command is used to re-encrypt the encrypted filesystem keys with the new KMS master key.

weka security kms rewrap [--new-key-uid new-key-uid]

Parameters

Name Type Value Limitations Mandatory Default
new-key-uid String Unique identifier for the new key to be used to wrap filesystem keys   Must be supplied for kmip and must not be supplied for Vault  
Note: Existing filesystem keys that are part of the Snap-To-Object feature will not be automatically re-encrypted with the new KMS key.
Note: Unlike in Vault KMS, re-wrapping a KMIP-based KMS requires generating a new key in the KMS, rather than rotating the same key. Hence, the old key should be preserved in the KMS in order to be able to decrypt old Snap2Obj snapshots.