Product Documentation

Appearance

Example: Rotate the Keystore with Multiple Unlock Keys

The following ybcli output shows an example of the complete process for refreshing the keys for the keystore (authentication and three unlock keys). You cannot generate a new authentication key separately.

YBCLI (PRIMARY)> keystore rotate

Rotating the keystore will generate new authentication and unlock keys.
Note: A backup of the current keystore will be performed prior to rotating the keystore.
Keystore rotation requires both the authentication and unlock keys to be present.

Do you want to rotate the keystore?

Type yes to continue: yes

Stopping the keystore before backup. Standby... Done
Backing up keystore. Standby...Done
Starting the keystore after backup. Standby... Done

The keystore has successfully been backed up to: /tmp/ybd-ks-10-25-2017-16-14-20.tar.gz
Please copy the backup to another machine. The backup is located on this system at:
	yb00-mgr1.yellowbrick.io:/tmp/ybd-ks-10-25-2017-16-14-20.tar.gz
	MD5: 7ab839eabcad275161a4b006d5d00ffc

Please enter a keystore unlock key to begin unlocking the keystore for rotation (ctrl-c to cancel): 
Key -> 

Please enter another keystore unlock key to unlock the keystore (Progress: 1/2): 
Key -> 

Authenticating to the keystore for keystore rotation. Standby...
Please enter keystore authentication key: 
Key -> 

Rotating the keystore. Standby...

Note: You can request up to 5 keystore unlock keys. In this way, multiple administrators can unlock the keystore
using a combination of keys. No single key has to be distributed to a single administrator.

How many unlock keys should be generated for the keystore? (1 to 5): 3
How many unlock keys should be required to unlock the keystore? (2 to 3): 2

The following unlock key(s) were generated. A total of 2 key(s) is required to unlock the keystore:
New keystore unlock key 1: fc243401f27cb29d8da94ff03df9facc5f1806511a3b05f02971d4957335b4a093
New keystore unlock key 2: 778d2a3724b7f4421c54d3dc4323809c6253b5cea706478c1160702b3f334cb765
New keystore unlock key 3: 5c83c05756909d209b130210a39b2693316c17a0ec55684f98ff28dff956d14d11

Rotating new authentication key. Standby...
New authentication key: 7c4012c2-0975-f93c-aedc-645564fe629c

Keys have been generated. Please store them in a safe place.

Do you want to create a backup of the keystore?

Type yes to continue: yes

Stopping the keystore before backup. Standby... Done
Backing up keystore. Standby...Done
Starting the keystore after backup. Standby... Done

The keystore has successfully been backed up to: /tmp/ybd-ks-10-25-2017-16-16-23.tar.gz
Please copy the backup to another machine. The backup is located on this system at:
	yb00-mgr1.yellowbrick.io:/tmp/ybd-ks-10-25-2017-16-16-23.tar.gz
	MD5: 6665faf86d1224be3aa2541d2f85ba64

Note: When restoring this backup, the keystore will have to be unlocked again by providing the unlock key(s)

Do you want to unlock the keystore again?
Note: This is not required unless you intend to run additional encryption commands. Any encryption
command will automatically prompt for keystore unlocking should it be required.

Type yes to continue: yes
Please enter a keystore unlock key to begin unlocking the keystore: 
Key -> 

The keystore is not yet fully unlocked.
Do you want to continue entering another key?
Note: Keystore unlocking is stateful and the remaining key(s) can be provided at a later time.
If the system is restarted or failed over, all keys will have to be provided again.

Type yes to continue: yes

Please enter another keystore unlock key to unlock the keystore (Progress: 1/2): 
Key -> 

Verifying keystore status. Standby...
Keystore locked: NO

Keystore was successfully unlocked

Keystore rotation successfully completed

Parent topic:System Hardware Encryption