Creating encryption keys
Encryption keys are created automatically when the encryption environment is enabled. The encryption keys are assigned to drives when a DDP group with encryption enabled is created.
New encryption keys must be created manually in the following cases:
- When you need to change an encryption key.
- After deleting encryption keys.
- When you run out of unassigned encryption keys due to drive replacement.
When creating encryption keys, always create the maximum number of keys that can be created: (4096 - <current number of keys>). To get the current number of keys, use the following command: GET <base URL >/v1/objects/encryption-key-counts/instance
The following REST API command is used to create encryption keys:
POST <Base URL >/v1/objects/encryption-keys
Deleting encryption keys
You can delete unused (Free) encryption keys in the storage system. Encryption keys need to be deleted in the following cases:
- When you change the encryption key generation location from the storage system to a KMS by changing the encryption environment settings.
- When you migrate a KMS to another server and plan to use new encryption keys instead of the existing encryption keys.
After you delete encryption keys, always create the maximum number of encryption keys that can be created (4096 - <current number of keys>). To get the current number of keys, use the following command: GET <base URL >/v1/objects/encryption-key-counts/instance
The following REST API command is used to delete encryption keys:
DELETE <Base URL>/v1/objects/encryption-keys/<object-ID>