Refreshing keys on KMIP

Use the zkey kms refresh command to refresh secure keys that are bound to KMIP.

About this task

Refreshing a key updates the secure key by reimporting it from the KMIP server.

The zkey kms refresh command can be useful if the secure keys were not been reenciphered properly after a CCA or EP11 master key change, and thus became invalid. The zkey kms refresh command reimports the secure key under the current CCA or EP11 master key. Hence, you can use this command as an alternative to the zkey reencipher command for keys that are bound to a KMIP plug-in.

You can filter the list of keys to be refreshed by:
  • Key name, option -N or --name
  • Key type, option -K or --key-type
  • Associated volumes, option -l or --volumes
  • Volume type, option -l or --volume-type
These options are the same as for other zkey kms commands. For details about the filter options, see zkey kms - Managing secure keys with a KMS plug-in, Pervasive Encryption for Data Volumes, SC34-2782, or the zkey man page.

Procedure

  • To refresh a key, issue a command of the form:
    # zkey kms refresh -N <name>
    You can use wildcards to refresh several keys.
    For example, to refresh all keys whose names start with "sec", issue:
    zkey kms refresh −N "sec*"
  • To refresh key properties, use the -P option
    Refreshing updates the information on the zkey repository with the information from the KMIP server. including the description, associated volumes, volume type, and sector size.