dsetool managekmip expirekey

Expires encryption/decryption keys on a KMIP server.

Expires encryption/decryption keys on a Key Management Interoperability Protocol (KMIP) server. Database stops using the key for encryption at the specified time and continues to use the expired key to decrypt existing data. Data re-keying is not required. Use this command to satisfy security policies that require periodically switching the encryption key.

DataStax recommends following best practices for key management permission policies. See .


dsetool managekmip expirekey kmip_group_name kmip_key_id [date_time]
Table 1. Legend
Syntax conventions Description
UPPERCASE Literal keyword.
Lowercase Not literal.
Italics Variable value. Replace with a valid option or user-defined value.
[ ] Optional. Square brackets ( [ ] ) surround optional command arguments. Do not type the square brackets.
( ) Group. Parentheses ( ( ) ) identify a group to choose from. Do not type the parentheses.
| Or. A vertical bar ( | ) separates alternative elements. Type any one of the elements. Do not type the vertical bar.
... Repeatable. An ellipsis ( ... ) indicates that you can repeat the syntax element as often as required.
'Literal string' Single quotation ( ' ) marks must surround literal strings in CQL statements. Use single quotation marks to preserve upper case.
{ key:value } Map collection. Braces ( { } ) enclose map collections or key value pairs. A colon separates the key and the value.
<datatype1,datatype2> Set, list, map, or tuple. Angle brackets ( < > ) enclose data types in a set, list, map, or tuple. Separate the data types with a comma.
cql_statement; End CQL statement. A semicolon ( ; ) terminates all CQL statements.
[ -- ] Separate the command line options from the command arguments with two hyphens ( -- ). This syntax is useful when arguments might be mistaken for command line options.
' <schema> ... </schema> ' Search CQL only: Single quotation marks ( ' ) surround an entire XML schema declaration.
@xml_entity='xml_entity_type' Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrconfig files.
The user-defined name of the KMIP group that is configured in the kmip_hosts section of dse.yaml.
The key id on the KMIP provider.
After the specified date_time, new data will not be encrypted with the key. Data can be decrypted with the key after this expire date/time. Format of datetime is YYYY-MM-DD HH:MM:SS:T. For example, use 2016-04-13 20:05:00:0 to expire the encryption key at 8:05 p.m. on 13 April 2016.


To immediately expire an encryption key:

dsetool managekmip expirekey kmipgrouptwo 02-540

Encryption for new data is prevented, but decryption with the key is still allowed. Because the expire date/time is not specified, the key is expired immediately.

To expire an encryption key at a specific date and time:

dsetool managekmip expirekey kmipgrouptwo 02-540 2017-04-13 20:05:00:0