Managing off-server encryption keys
Tools to manage off-server encryption keys.
Use the dsetool
managekmip command to manage encryption keys that are stored on the
KMIP key server.
Use this syntax:
Note: There are risks associated with expiring, revoking, and deleting keys.
DataStax recommends that the key management permission policies do not give
every node the ability to delete keys. When encryption keys might be cached,
ensure that the key cache time is passed before expiring, revoking, and deleting
keys.
The KMIP key server group, identified as
kmip_groupname, is a user-defined KMIP server group that
is set in the kmip_hosts section in
dse.yaml.dsetool managekmip list|expirekey|revoke|destroy kmip_groupname [command_arguments]To view help on the dsetool managekmip command:
dsetool managekmip help