Migrating the KMS to another server

Encryption License Key User Guide

Part Number

If the key encryption key (KEK) was created on the key management server (KMS) and you want to migrate the KMS to another server, use the following procedure.

Do not power off the storage system during this procedure. If either (or both) of the following encryption environmental settings is enabled and the storage system is powered off during this procedure, the KEK and the encryption keys that were backed up to the KMS cannot be obtained when the storage system is powered back on, and therefore the encrypted data cannot be decrypted.
  • Protect the key encryption key at the KMS
  • Delete internal encryption keys at PS OFF
If SIM code 661000 or 661001 (Acquisition of encryption key from KMS failed) is reported, perform the following before you migrate the KMS:
  1. Restore the connection with the KMS used before migration.
  2. In the Edit Encryption Environmental Settings window, click Check in Server Configuration Test, and then confirm that the connection test ends successfully.
  3. Contact customer support to have the storage system restarted.
  • You must have the Security Administrator (View & Modify) role.
  1. On the Explorer pane, select Administration, and then select Encryption Keys.
  2. On the Encryption Keys pane, click Edit Encryption Environmental Settings.
  3. Expand Server Settings, and enter the network connection information for the new KMS.
  4. Test the connection to the new KMS by clicking Check next to Server Configuration Test.
    If the server configuration test fails, error messages are displayed. Resolve the errors before continuing.
  5. When you are finished updating the encryption environmental settings, click Finish.
  6. Verify the settings on the confirmation window, and then click Apply.