Rekeying a system with internal key management

Rekeying is the process of creating a new key for the system.

To create a new key, encryption must be enabled on the system; however, the rekey operation works whether there are encrypted objects or not. Only a single encryption method can be rekeyed at once.

The internal key management method performs rekey operation every 24 hours without user intervention that means the new key is generated every 24 hours.

The command-line interface or the management GUI option is unavailable to initiate rekey operation, as it is performed internally by the system.

After successful completion of the rekey operation,
  • The last generated field in the Encryption page of management GUI shows the updated rekey time.
  • The lsencryption command output shows the updated rekey time in internal_key_last_rekey_time field.
The rekey operation fails if any of the following conditions occur in the system,
  • All the nodes in the system are not online.
  • The system upgrade is in progress.
  • A system is performing another encryption task using chencryption command.
  • A node in the system is getting removed.
  • A rekey operation has timed out.
  • A TPM module on one or more nodes have failed.

In such case, a system performs retry operation after a specified time interval. If after finite retry attempts for example, 6, the system fails to perform rekey operation then a fix procedure notify user that the rekey operation has failed. The system attempts the rekey operation after 24 hours. For more information, you can refer to the fix procedures.