Managing Encryption Groups and Keys

  • Updated on Jan 31, 2026
  • Published on Jan 27, 2026
  • 6 minute(s) read
Prev Next

To use encryption with EKM for multiple tenants, an encryption group must be assigned at tenant creation. Multiple tenants can share the same encryption group. The group cannot be changed per tenant after tenant creation.

The default tenant is encrypted by a special encryption group that is created internally. It is named INTERNAL_ENCRYPTION_GROUP_CRN and is not user-provided. This encryption group does not use the EKM. Data stored in the default tenant is not protected with encryption keys provided by the EKM. Be sure to create at least one tenant to make use of EKM-managed keys.

With EKM encryption, data is encrypted using a data encryption key (DEK). There are two DEKs per encryption group which are used to encrypt all paths on the tenant(s) associated with the encryption group. Additional dedicated encryption groups can be created and used to encrypt specific paths, called encrypted paths

Each encrypted path's encryption group can be managed independently to control the encryption status of the specific path. It is also affected by the encryption group of the tenant. For example, if the tenant's encryption group's keys are revoked, access is blocked to all paths on the tenant, including so-called encrypted paths

DEKs are retrieved when needed from the EKM. For some EKMs, VAST Cluster uses a different key, called the key encryption key, to retrieve the DEKs for a given encryption group. VAST Cluster generates a master key per cluster. The cluster uses the master key to encrypt the data encryption keys when they are distributed from the cluster node that hosts the encryption service client to other nodes in the cluster.

Listing Encryption Groups

The encrytiongroup list VAST CLI command lists all encryption groups on the cluster and their state. For example: 

vcli: admin> encryptiongroup list
+----+------+--------------------------------------------------------------------------------+--------+
| Id | Name | Crn                                                                            | State  |
+----+------+--------------------------------------------------------------------------------+--------+
| 4  | N/A  | T_04757adb-85c0-48eb-9cd9-ef8d23cdae6d_EP_602eb029-61c1-4570-a9b5-3a3161dad798 | ACTIVE |
| 1  | N/A  | INTERNAL_ENCRYPTION_GROUP_CRN                                                  | ACTIVE |
+----+------+--------------------------------------------------------------------------------+--------+

To map the ID of an encryption path or tenant to an encryption group, check the encryption group ID in the details of the encryption path or tenant. For example:

vcli: admin> encryptedpath show --id 1
+------------------+-------------+
| ID               | 1           |
| Name             | EPath       |
| Path             | /epath      |
| Tenant-id        | 1           |
| Tenant-name      | default     |
| Encryption-group | 4           |
+------------------+-------------+

Managing Encryption Keys

You can manage encryption keys and the master key in the following ways:

Deactivating and Reinstating Encryption Keys

Encryption keys can be deactivated and reinstated per encryption group. When keys are deactivated, the keys can no longer be used and data that was written with the deactivated key can no longer be accessed (unless reinstated). 

Deactivating and Reinstating Encryption Keys from the VAST Web UI

To deactivate or reinstate the encryption keys for a tenant-level encryption group: 

  1. From the left navigation menu, select Element Store and then Tenants

  2. Right click on a tenant that belongs to the encryption group and select either Deactivate Encryption Group or Reinstate Encryption Group.

  3. Click Yes to confirm the action.

To deactivate or reinstate the encryption keys for an encrypted path's encryption group:

  1. Right-click the encrypted path and select Deactivate Key or Reinstate Key.

  2. Click Yes to confirm the action.

    It takes some time for keys to be deactivated or reinstated. Once keys are revoked, the Reinstate option becomes available. The path is no longer accessible to clients and remains inaccessible until and unless the keys are reinstated. 

Deactivating and Reinstating Encryption Keys from the VAST CLI

To deactivate any encryption group's keys, use the encrytiongroup revoke-encryption-group VAST CLIcommand.

To reinstate any encryption group's keys, use the encryptiongroup reinstate-encryption-group VAST CLI command.

To deactivate or reinstate encryption keys for a tenant-level encryption group, use the tenant alter-encryption-group-state command.

Revoking Encryption Keys

Revoking can be done for a tenant encryption group or for an encrypted path encryption group. Revoked keys are revoked and destroyed. They cannot be reinstated. The encrypted data becomes inaccessible forever. VAST Cluster supports key deactivation whether it is done on the EKM or from VMS. 

Revoking Encryption Keys from the VAST Web UI

To revoke the encryption keys (DEKs+KEK) for a tenant-level encryption group: 

  1. From the left navigation menu, select Element Store and then Tenants

  2. Right click on a tenant that belongs to the encryption group and select Revoke Encryption Group.

  3. Click Yes to confirm the action.

To revoke the encryption keys for an encrypted path's encryption group:

  1. Right-click the encrypted path and select Revoke Key.

  2. Click Yes to confirm the action.

    It takes some time for a key to be deactivated. Once complete, the path is no longer accessible to clients and remains inaccessible. 

Revoking Encryption Keys from the VAST CLI

To revoke any encryption group's keys, use the encryptiongroup deactivate-encryption-group VAST CLIcommand.

To revoke encryption keys for a tenant-level encryption group, use the tenant alter-encryption-group-state command.

Rotating Key Encryption Keys

VAST Cluster supports the rotation of key encryption keys. Rotating a key encryption key generates a new version of the key encryption key for a given encryption group. You can rotate a key encryption key from the VAST Web UI or the VAST CLI. It is preferable to do this on the cluster rather than on the EKM. If a key is rotated on the EKM, there will be a small delay until the cluster is aware of the change. 

Note

Rotating keys does not prevent keys from expiring. Although keys are created without an expiration date, setting an expiration date is supported by some EKM servers. For more information, see Avoiding Accidential Data Loss through Encryption Key Expiration.

Rotating Key Encryption Keys from the VAST Web UI

To rotate a key encryption key for an encryption group: 

  1. From the left navigation menu, select Element Store and then Tenants

  2. Right click on a tenant that belongs to the encryption group and select Rotate Encryption Group.

  3. Click Yes to confirm the action.

To rotate an encryption path key:

  1. Right-click the encrypted path and select Rotate Key

  2. Click Yes to confirm the action.

Rotating Key Encryption Keys from the VAST CLI

To rotate a key encryption key for a tenant-level encryption group from the VAST CLI, use the tenant rotate-encryption-group-key command.

To rotate any encryption group's key, use the encrytiongroup rotate-encryption-group-key VAST CLI command.

Rotating the Master Key

The master key should only be rotated from the cluster and not directly on the EKM. If a key is rotated on the EKM, there will be a small delay until the cluster is aware of the change.

Rotating the Master Key from the VAST Web UI

  1. From the left navigation menu, select Settings, then Cluster and then KMIP

  2. Click the Rotate button and then click Yes to confirm the action.

Rotating the Master Key from the VAST CLI

You can rotate the master key using the cluster rotate-master-encryption-group-key VAST CLI command.

Related articles