Listing keys

Use the zkey kms list command to display eligible secure keys that are managed by KMIP. These keys can, but must not be in the zkey repository.

About this task

You can filter the displayed list by:
  • Key label, option -B or --label
  • Key name, option -N or --name
  • Associated volumes, option -l or --volumes
  • Volume type, option -t or --volume-type
Most of these options are the same as for the zkey list command. For details about the filter options, see zkey kms - Managing secure keys with a KMS plug-in, Pervasive Encryption for Data Volumes, SC34-2782, or the zkey man page.

The KMIP server implementation determines how keys are associated to certain clients or groups of clients, and controls who can see and access which keys. For more details about how to control access to keys in the KMIP server, refer to the documentation of your KMIP server.

Procedure

  • To list all active keys the zkey instance can use, issue zkey kms list, for example:
    # zkey kms list
    Name                         : kmip-test
    -------------------------------------------------------------------------------------
            Key label            : TEST-KEY1
            Description          : A key generated in KMIP
    ...
    
    Name                         : kmip-test2
    -------------------------------------------------------------------------------------
            Key label            : TEST-KEY2
            Description          : 2nd key generated in KMIP
            Key size             : 256 bits
            XTS type key         : No
     ...
    
  • To filter the list by label, for example:
    # zkey kms list −−label "*LUKS2*"

    The command displays eligible secure keys managed by the KMIP server, where the label name contains the word LUKS2.