Managing off-server encryption keys 

Tools to manage off-server encryption keys.

Use the dsetool managekmip command to manage encryption keys that are stored on the KMIP key server.
Note: There are risks associated with expiring, revoking, and deleting keys. DataStax recommends that the key management permission policies do not give every node the ability to delete keys. When encryption keys might be cached, ensure that the key cache time is passed before expiring, revoking, and deleting keys.
The KMIP key server group, identified as kmip_groupname, is a user-defined KMIP server group that is set in the kmip_hosts section in dse.yaml.
Use this syntax:
$ dsetool managekmip list|expirekey|revoke|destroy kmip_groupname [command_arguments]
To view help on the dsetool managekmip command:
$ dsetool managekmip help

Procedure

  1. To immediately expire an encryption key to prevent encryption for new data, but still allow decryption with the key:
    $ dsetool managekmip expirekey kmip_groupname key_id 
    To specify a date and time to expire the encryption key:
    $ dsetool managekmip expirekey kmip_groupname key_id datetime
    After the specified datetime, new data will not be encrypted with the key. Data can be decrypted with the key after this expire date/time. Format of datetime is YYYY-MM-DD HH:MM:SS:T. For example, use 2016-04-13 20:05:00:0 to expire the encryption key at 8:05 p.m. on 13 April 2016.
  2. To immediately revoke an encryption key, and prevent the key from being used to encrypt and decrypt data:
    $ dsetool managekmip revoke kmip_groupname key_id 
  3. To immediately destroy an encryption key, and prevent the key from being used to encrypt and decrypt data:
    $ dsetool managekmip revoke kmip_groupname key_id