Home > Advanced Topics > Cybersecurity > White Papers > Dell PowerScale OneFS: Security Considerations > SEDs master key rekey
As previously described, a 256-bit master key (MK) encrypts the Key Manager Database (KMDB) for SEDs. The MK may be stored locally on a node or using a KMIP server. PowerScale OneFS 9.5.0.0 provides an option to rekey the MK, irrespective of where it is stored. The rekey process generates a new MK and re-encrypts the KMDB, and the old MK is then deleted.
The MK may be rekeyed on a specified schedule or as requested. Before configuring an MK rekey, consider the following information:
Before starting a rekey process, ensure that you understand the preceding considerations. A rekey may be requested immediately or may be scheduled with a cadence. The rekey operation is available through the CLI and the WebUI. In the WebUI, under Access > Key Management, select the SED/Cluster Rekey tab.
This section explains the SED MK rekey process. For the cluster rekey of other services, see Cluster services rekey.
To start a rekey of the MK immediately, from the CLI run the isi keymanager sed rekey start command. Alternatively, from the WebUI, under the SED/Cluster Rekey tab, select Rekey Now next to SED Keys, as shown in the following figure.
To schedule a rekey of the MK from the CLI, run the isi keymanager sed rekey modify command with the --key rotation= option. Specify the frequency of the key rotation as an integer using Y for years, M for months, W for weeks, D for days, H for hours, m for minutes, and s for seconds. For example, to have the rekey operation scheduled for every 3 months, run the following command: isi keymanager sed rekey modify --key rotation=3M.
Alternatively, from the WebUI, under the SED/Cluster Rekey tab, select Automatic rekey for SED keys and specify the rekey frequency, as shown in the following figure. Then click Save.
To see the current rekey status in the CLI, run the isi keymanager sed status command, as shown in the following figure.
If any errors occur during the rekey process, a CELOG event is generated with a KeyManagerSedsRekeyFailed event. The rekey process is logged in /var/log/isi_km_d.log.