dsetool managekmip expirekey
Expires encryption/decryption keys on a Key Management Interoperability Protocol (KMIP) server. Database stops using the key for encryption at the specified time and continues to use the expired key to decrypt existing data. Data re-keying is not required. Use this command to satisfy security policies that require periodically switching the encryption key.
DataStax recommends following best practices for key management permission policies. See Expiring an encryption key.
Synopsis
dsetool managekmip expirekey kmip_group_name kmip_key_id [date_time]
Syntax conventions
Syntax conventions | Description |
---|---|
UPPERCASE |
Literal keyword. |
Lowercase |
Not literal. |
|
Variable value. Replace with a valid option or user-defined value. |
|
Optional.
Square brackets ( |
|
Group.
Parentheses ( |
|
Or.
A vertical bar ( |
|
Repeatable.
An ellipsis ( |
|
Single quotation ( |
|
Map collection.
Braces ( |
|
Set, list, map, or tuple.
Angle brackets ( |
|
End CQL statement.
A semicolon ( |
|
Separate the command line options from the command arguments with two hyphens ( |
|
Search CQL only: Single quotation marks ( |
|
Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrconfig files. |
kmip_groupname
-
The user-defined name of the KMIP group that is configured in the
kmip_hosts
section ofdse.yaml
. kmip_key_id
-
The key id on the KMIP provider.
date_time
-
After the specified
date_time
, new data is not encrypted with the key. Data can be decrypted with the key after this expire date/time. Format of datetime isYYYY-MM-DD HH:MM:SS:T
. For example, use2016-04-13 20:05:00:0
to expire the encryption key at 8:05 p.m. on 13 April 2016.
Examples
To immediately expire an encryption key:
dsetool managekmip expirekey kmipgrouptwo 02-540
Encryption for new data is prevented, but decryption with the key is still allowed. Because the expire date/time is not specified, the key is expired immediately.
To expire an encryption key at a specific date and time:
dsetool managekmip expirekey kmipgrouptwo 02-540 2017-04-13 20:05:00:0