If you want to migrate the KMS to another server, change the settings of the primary server and the secondary server to match the new KMS. When you change the connection destination of the KMS, the encryption keys are backed up to the newly configured KMS.
Use the following command to set up a connection with the KMS to be used after migration:
PATCH <Base URL >/v1/objects/kms-settings/ <Object ID>
- If you want to change the KMS itself, set the KMS migration flag isMigration to true. A backup of the KEK and encryption keys is registered on the destination KMS.
- If you want to change the IP address, host name, or other settings without changing the KMS itself, set the KMS migration flag isMigration to false. No new key encryption key or encryption key backups are registered on the KMS.
CAUTION:
Do not turn off the storage system during the configuration process of migrating the KMS to another server. If the storage system is turned off during this task, the key encryption key and encryption keys backed up to the KMS cannot be retrieved when the power is turned on, and the data cannot be decrypted.
Note: If all volumes are blocked and SIM code 661000 or 661001 (Failed to retrieve encrypted key from Key Management Server) is reported, perform the following actions before migrating the KMS:
- Test the connection with the pre-migration KMS.
- Confirm that the connection test with the KMS completes successfully.
- Contact customer support and request that the storage system be restarted.