Home > Storage > PowerScale (Isilon) > Product Documentation > Security and Compliance > Dell PowerScale OneFS: Security Considerations > SEDs universal key rekey
As previously described, a 256-bit universal key (UK) encrypts the Key Manager Database (KMDB) for SEDs. The UK may be stored locally on a node or using a KMIP server. PowerScale OneFS 9.5.0.0 provides an option to rekey the UK, irrespective of where it is stored. The rekey process generates a new UK and re-encrypts the KMDB, and the old UK is then deleted.
The UK may be rekeyed on a specified schedule or as requested. Before configuring an UK rekey, consider the following information:
Before starting a rekey process, ensure that you understand the preceding considerations. A rekey may be requested immediately or may be scheduled with a cadence. The rekey operation is available through the CLI and the WebUI. In the WebUI, under Access > Key Management, select the SED/Cluster Rekey tab.
This section explains the SED UK rekey process. For the cluster rekey of other services, see Cluster services rekeyCluster services rekey.
To start a rekey of the UK immediately, from the CLI run the isi keymanager sed rekey start command. Alternatively, from the WebUI, under the SED/Cluster Rekey tab, select Rekey Now next to SED Keys, as shown in the following figure.
To schedule a rekey of the UK from the CLI, run the isi keymanager sed rekey modify command with the --key rotation= option. Specify the frequency of the key rotation as an integer using Y for years, M for months, W for weeks, D for days, H for hours, m for minutes, and s for seconds. For example, to have the rekey operation scheduled for every 3 months, run the following command: isi keymanager sed rekey modify --key rotation=3M.
Alternatively, from the WebUI, under the SED/Cluster Rekey tab, select Automatic rekey for SED keys and specify the rekey frequency, as shown in the following figure. Then click Save.
To see the current rekey status in the CLI, run the isi keymanager sed status command, as shown in the following figure.
If any errors occur during the rekey process, a CELOG event is generated with a KeyManagerSedsRekeyFailed event. The rekey process is logged in /var/log/isi_km_d.log.