managereckey
The managereckey command is used to manage an existing encryption recovery key.
Parameters
- -dev storage_image_ID
- (Optional) The storage image ID, which includes manufacturer, machine type, and serial number. For example, IBM.2107-75FA120. The storage image ID is required if you do not specify a fully qualified key group ID. It is also required if you do not set the devid variable in your profile or through the setenv command, and the HMC is aware of more than one storage image. Using the -dev parameter temporarily overrides any defined value for devid for the current command.
- -action verify | rekey | recover | cancel | validate | authorize | enable | disable
- (Required) The action to complete on the recovery key.
- Verify
- The verify option is for users with security administrator authority, and is the second step in creating an Encryption Recovery Key or re-creating an existing Encryption Recovery Key. Verify that you received the new Recovery Key from the first step (mkreckey, or managereckey with the -rekey option), by specifying that new key with the -key parameter. The next step requires the storage administrator to authorize the pending operation.
- Rekey
- The rekey option is for users with security administrator authority, and is the first step to reconfigure an existing Encryption Recovery Key. The existing Encryption Recovery Key is not required to start the rekey operation. The next step requires the security administrator to verify the new recovery key.
- Recover
- The recover option is for users with security administrator authority, and is the first step to using the Encryption Recovery Key to recover access to the encrypted data on the storage system. The user specifies the Encryption Recovery Key with the -key parameter. The next step requires the storage administrator to authorize the recover operation.
- Cancel
- The cancel option is for users with either security administrator or storage administrator authority to cancel any verification or authorization pending steps. The existing Encryption Recovery Key is not required and no further steps are required.
- Validate
- The validate option is for users with security administrator authority, and is used to ensure that the existing Encryption Recovery Key is identical to the recovery key that is in the user's possession. The user specifies the Encryption Recovery Key in their possession with the -key parameter, but no further steps are required.
- Authorize
- The authorize option is for users with storage administrator authority, and is the final step of most recovery key operations. Once authorized, the pending recovery key operation is completed and any resulting changes to the storage system are started. The existing Encryption Recovery Key is not required and no further steps are required.
- Enable
- The enable option is for users with security administrator authority, and is the first step to enable the Encryption Recovery Key for the key group. The Recovery Key needs to be enabled only if it was previously disabled. The existing Encryption Recovery Key is not required. The next step requires the storage administrator to authorize the pending operation.
- Disable
- The disable option is for users with security administrator authority, and is the first step to disable the Encryption Recovery Key for the key group. The existing Encryption Recovery Key is not required. The next step requires the storage administrator to authorize the pending operation. After that, the group will operate without an Encryption Recovery Key, and will not be recoverable with a Recovery Key.
- -key the_key
- (Optional) The encryption recovery key. The encryption recovery key is a string of 64
hexadecimal characters.
For example, 01F3-45A7-8D12-B586-0123-4C67-891E-3586-01A3-45E7-8D12-3586-0123-45C7-8912-3B86.
- key_group_ID | -
- (Required) The key group ID for the encryption recovery key that you want to manage. The key group ID is a decimal number that ranges from 1 to N, where N is the maximum number of key groups that are supported by the storage system. Use the showsi command to determine this maximum number. If you use the dash (-), the specified value is read from standard input. You cannot use the dash (-) while you are in the DS CLI interactive command mode.
Example: Managing an existing encryption recovery key.
dscli> managereckey -dev IBM.2107-75FA120 -action verify
-key 0123-4567-8912-3586-0123-4567-8912-3586-0123-4567-8912-
3586-0123-4567-8912-3586 1
Output:
The Recovery Key for key group 1 has been verified,
authorization pending.