You can use XML to rotate the master key of a storage policy copy. This operation revokes current master key and generates a new master key with the key management server. The software uses the old master key to decrypt the key encrypted key (KEK) and re-encrypts the KEK with new master key. Thereafter, the software uses only the new master key for all existing and new data. The old master key is not referenced or used anymore.
Note
-
For a copy that is dependent on a Global Storage Policy, you can perform key rotation only on the Global Storage Policy.
-
If you enabled Bring Your Own Key (BYOK) for the key management server configured for a copy, then the copy uses one available key that is set for BYOK to perform encryption. Before you perform key rotation, at least one unused key must be available for the copy. Otherwise, key rotation fails.
Before You Begin
Take a backup of the existing key. You may need to restore and use the key when you restore a disaster recovery backup in case of CommServe recovery.
Procedure
-
Use the qlogin command to log on to the CommServe computer.
-
Download the Rotate_MasterKey.xml file and save it on the computer where the command is run.
-
The following table displays the parameters you can use with the command.
Attribute
Description
Parent element
copyName
The name of the storage policy copy.
StoragePolicyCopy
storagePolicyName
The name of the storage policy.
StoragePolicyCopy
rotateMasterKey
Used to rotate the master key.
The value is set to 1 by default. Do not change the value.
dataEncryption
-
Execute the following command from the <software_installation_directory>/Base folder after substituting the parameter values.
qoperation execute -af <downloaded location>\Rotate_MasterKey.xml -copyName xxxxx -storagePolicyName xxxx
Example:
Execute the following command to rotate master key for a storage policy copy with name "Copy1" and storage policy "SP1":
qoperation execute -af <downloaded location>\Rotate_MasterKey.xml -copyName Copy1 -storagePolicyName SP1
Click here to see sample output.