Product DocumentationAppearance
encryption
Enable and manage encryption for the drives on the manager nodes and compute blades.
encryption disable
encryption enable
encryption rotate
encryption status
encryption unlockEncryption commands prompt for the authentication key that was generated when you set up the keystore. You may not see a prompt if you have already authenticated and the session has not timed out (it times out after 10 minutes or when you exit from the ybcli). Encryption commands also require the keystore to be unlocked.
Note: Encryption commands can only be run via the ybcli on the primary manager node.
- encryption disable
Disable system-wide encryption on all drives, starting with the manager nodes, then proceeding to the compute blades. This command detects the drives that have encryption enabled and disables encryption only on those drives.
This command also detects the case where a drive key is missing from the keystore. If this occurs, you can try restoring the keystore from a backup, then run the disable command again.
YBCLI (PRIMARY)> encryption disable Are you sure you want to disable encryption system wide? WARNING: This will unlock all drives, disable encryption and delete the keys from the keystore. Disabling encryption will take the database stack down. Type yes to continue: yes WARNING: The keystore is locked. Initiating unlocking Please enter an unlock key to begin unlocking the keystore: Key -> Verifiying keystore status. Standby... Keystore locked: NO Keystore was successfully unlocked Stopping YBD services before disabling encryption. Standby... Done Disabling encryption on manager node(s). Standby... Manager: yb00-mgr1.yellowbrick.io (local node) Drive-sda - Serial: S3D2NX0J507797Y -> Disabling encryption and removing key. Standby...Encryption disabled Drive-sdb - Serial: S3D2NX0J507787F -> Disabling encryption and removing key. Standby...Encryption disabled ... Disabling encryption on blades. Standby... Retrieving blade details. Standby... Blade in bay: 1 - UUID: 00000000-0000-0000-0000-38B8EBD004F6 Drive-0 - Serial: S3EWNWAJ318665L -> Disabling encryption and removing key. Standby...Encryption disabled Drive-1 - Serial: S3EWNWAJ318656W -> Disabling encryption and removing key. Standby...Encryption disabled Drive-2 - Serial: S3EWNWAJ318660F -> Disabling encryption and removing key. Standby...Encryption disabled Drive-3 - Serial: S3EWNWAJ318658M -> Disabling encryption and removing key. Standby...Encryption disabled Drive-4 - Serial: S3EWNWAJ318653X -> Disabling encryption and removing key. Standby...Encryption disabled Drive-5 - Serial: S3EWNWAJ318652L -> Disabling encryption and removing key. Standby...Encryption disabled Drive-6 - Serial: S3EWNWAJ318657P -> Disabling encryption and removing key. Standby...Encryption disabled Drive-7 - Serial: S3EWNWAJ318651N -> Disabling encryption and removing key. Standby...Encryption disabled Blade in bay: 2 - UUID: 00000000-0000-0000-0000-38B8EBD0053C Drive-0 - Serial: S3EWNWAJ316127E -> Disabling encryption and removing key. Standby...Encryption disabled Drive-1 - Serial: S3EWNWAJ330178F -> Disabling encryption and removing key. Standby...Encryption disabled Drive-2 - Serial: S3EWNWAJ330176R -> Disabling encryption and removing key. Standby...Encryption disabled ...- encryption enable
Enable system-wide encryption on all drives. The keystore must be set up and unlocked, and you must enter the authentication key. When you run this command, it detects the drives that require encryption to be enabled and proceeds.
This command may fail for any system components that are not online. For example, if a compute blade is not booted, encryption will not be enabled on its drives. After booting the drive, you can run the command again.
This command returns detailed output per blade and drive, indicating whether encryption is enabled. See Example: Set Up the Keystore and Enable Encryption.
- encryption rotate
Regenerate and rotate all encryption keys on all drives. Rotating keys on the drives requires the database to be shut down. You may want to run this command periodically to improve the security of the system. (This command does not generate new unlock and authentication keys for the keystore; see the
keystore rotatecommand.) For example:YBCLI (PRIMARY)> encryption rotate WARNING: This command will rotate all keys of any encrypted drive in the system Type yes to continue: yes Do you want this command to show the actual drive keys generated? WARNING: The keys will be shown in clear text. Saying anything but yes below will not display the keys. Type yes to show drive keys: yes Authenticating to the keystore for this YBCLI session. Standby... Please enter keystore authentication key: Password: Key accepted. This session is authenticated for the next 10 minutes or until YBCLI exit. Rotating keys on manager node(s). Standby... Manager: yb00-mgr0.yellowbrick.io (local node) Drive-sda - Serial: S3D2NX0J601378A -> Generating key. Standby... KEY: TxXlBKj+E5N2QSoihv43pvynC7X+2BC0 Rotating key. Standby...Rotated Drive-sdb - Serial: S3D2NX0J601380W -> Generating key. Standby... KEY: ZP2YumewQta+5kyIxWa1sYtVrY28OMaT Rotating key. Standby...Rotated Manager: yb00-mgr1.yellowbrick.io (remote node) Drive-sda - Serial: S3D2NX0J507797Y -> Generating key. Standby... KEY: 84E3D+FbWShDszJfpSFR1z47rXEUzssn Rotating key. Standby...Rotated Drive-sdb - Serial: S3D2NX0J507787F -> Generating key. Standby... KEY: HmdiE0pk5K2R63bNmeolnKL97DBlzPF7 Rotating key. Standby...Rotated Rotating keys on blades. Standby... ...- encryption status
Return the encryption status of all of the drives on the manager nodes and the blades. After encryption is enabled, all of the drives should report that they are enabled and unlocked. For example:
YBCLI (PRIMARY)> encryption status Do you want this command to show the actual drive keys? WARNING: The keys will be shown in clear text. Saying anything but yes below will not display the keys Type yes to show drive keys: no Not displaying keys in clear text WARNING: The keystore is locked. Initiating unlocking Please enter a keystore unlock key to begin unlocking the keystore: Password: The keystore is not yet fully unlocked. Do you want to continue entering another key? Note: Keystore unlocking is stateful and the remaining key(s) can be provided at a later time. If the system is restarted or failed over, all keys will have to be provided again. Type yes to continue: yes Please enter another keystore unlock key to unlock the keystore (Progress: 1/2): Password: Verifiying keystore status. Standby... Keystore locked: NO Keystore was successfully unlocked Retrieving manager node encryption status. Standby... Local Manager drive encryption status: Supports encryption: 2/2 Encryption enabled : 2/2 Drives locked : 0/2 DRIVE-sda - Serial: S3D2NX0J507797Y -> KEY PRESENT DRIVE-sdb - Serial: S3D2NX0J507787F -> KEY PRESENT Retrieving blade encryption status. Standby... Retrieving blade details. Standby... Blade in bay: 1 - UUID: 00000000-0000-0000-0000-38B8EBD00483 Supports encryption: 8/8 Encryption enabled : 8/8 Drives locked : 0/8 DRIVE-0 - Serial: S3EWNWAJ318665L -> KEY PRESENT DRIVE-1 - Serial: S3EWNWAJ318656W -> KEY PRESENT DRIVE-2 - Serial: S3EWNWAJ318660F -> KEY PRESENT DRIVE-3 - Serial: S3EWNWAJ318658M -> KEY PRESENT DRIVE-4 - Serial: S3EWNWAJ318653X -> KEY PRESENT DRIVE-5 - Serial: S3EWNWAJ318652L -> KEY PRESENT DRIVE-6 - Serial: S3EWNWAJ318657P -> KEY PRESENT DRIVE-7 - Serial: S3EWNWAJ318651N -> KEY PRESENT ...- encryption unlock
Unlock all locked drives on the system. If a blade (worker node) has one or more drives that are locked, that worker node cannot start. This command prompts for the authentication key, then unlocks the drives by using the keys in the keystore. This command also starts the database as part of its normal operation. A warning message is displayed before the database is started.
If the manager node drives are locked when the system is powered on, start the
ybcli. Theybcliwill detect that the drives are locked and automatically return a prompt, asking you to continue by attempting to unlock the drives with the keys in the keystore. You will not be able to start the database until the keys are unlocked.If all of the drives on a manager node are locked, it cannot become the primary manager node.
Parent topic:ybcli Reference