dsetool managekmip revoke
Permanently disables the key on the KMIP server. Database can no longer use the key for encryption, but continues to use the key for decryption of existing data. Re-encrypt existing data before completely removing the key from the KMIP server. Use this command as the first step when replacing a compromised key.
Synopsis
dsetool managekmip revoke kmip_group_name kmip_key_id
Syntax conventions
Syntax conventions | Description |
---|---|
UPPERCASE |
Literal keyword. |
Lowercase |
Not literal. |
|
Variable value. Replace with a valid option or user-defined value. |
|
Optional.
Square brackets ( |
|
Group.
Parentheses ( |
|
Or.
A vertical bar ( |
|
Repeatable.
An ellipsis ( |
|
Single quotation ( |
|
Map collection.
Braces ( |
|
Set, list, map, or tuple.
Angle brackets ( |
|
End CQL statement.
A semicolon ( |
|
Separate the command line options from the command arguments with two hyphens ( |
|
Search CQL only: Single quotation marks ( |
|
Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrconfig files. |
kmip_groupname
-
The user-defined name of the KMIP group that is configured in the
kmip_hosts
section ofdse.yaml
. kmip_key_id
-
The key id on the KMIP provider.
Examples
To revoke a key to prevent decryption:
dsetool managekmip revoke kmipgrouptwo 02-540