Backing up encryption keys
The methods for backing up encryption keys differ depending on whether you use a KMS.
If you are using a KMS:
- The primary backup and the secondary backup occur automatically to back up the encryption keys to the KMS. No manual secondary backup operations are required.
- If you want to make another backup of a specific key, or if you are instructed to perform a manual backup, back up the encryption key to the KMS.
If you are not using a KMS:
- The primary backup of the encryption key occurs automatically, but the secondary backup requires a manual operation. After enabling the encryption environment or creating encryption keys, back up the encryption keys as a file on the management client.
- If you want to make another backup of a specific key, or if you are instructed to perform a manual backup, back up the encryption keys as a file on the management client.
- Set a password when you back up encryption keys as a file on the management client. You will need this password to restore the encryption keys.
The following REST API command is used to back up encryption keys on the KMS:
POST base-URL/v1/objects/encryption-keys/kms/actions/backup/invoke
The following REST API command is used to back up encryption keys as a file on the management client:
POST <Base URL>/v1/objects/encryption-keys/file/actions/backup/invoke
You are responsible for maintaining secondary backups of encryption keys and storing the password.
Restoring encryption keys
If the encryption keys in the storage system, including the encryption keys backed up in the primary backup, become unavailable, restore the encryption keys backed up in the secondary backup. You can restore an encryption key from the secondary backup by using the file on the management client or by connecting to the KMS and restoring it.
Encryption key restoration is performed collectively for the encryption key whose key information has been lost among the backed up encryption keys (including unused keys and DEKs). However, deleted encryption keys or unused keys that are explicitly deleted manually are not restored, such as during drive maintenance.
To restore an encryption key, all pool volumes that belong to the parity group for which the encryption key is configured must be blocked. Also, after restoring the encryption key, you must recover all pool volumes that belong to the parity group for which the encryption key is set.
The following REST API command is used to restore encryption keys from a file on the management client:
POST <Base URL>/v1/objects/encryption-keys/file/actions/restore/invoke
The following REST API command is used to restore encryption keys from a KMS:
POST <Base URL>/v1/objects/encryption-keys/all/actions/kms-restore/invoke