If encryption is enabled with an external Encryption Key Manager (Thales Group CipherTrust Data Security Platform, Fortanix DSM, or HashiCorp Vault Enterprise), this command can deactivate, or reinstate, or irreversibly revoke and destroy, all encryption keys for an encryption group on an EKM.
When running this command, you specify one tenant. Keys are deactivated/reinstated/revoked for all tenants that share the same encryption group as the specified tenant. The encryption group to which each tenant belongs is identified by an identifier called the encryption CRN. You can display the encryption CRN per tenant with the tenant list command.
Usage
tenant alter-encryption-group-state --id ID [--deactivate]|[--reinstate] [--revoke]
Required Parameters
| Specifies a tenant. |
Options
| Deactivates all keys for the specified tenant's encryption group. When the keys are deactivated, data encrypted with those keys is no longer accessible. After running the command with this option, the keys can be reinstated by running the command again with the |
| Reinstates keys deactivated by the |
| Revokes and irreversibly destroys all keys for the specified tenant's encryption group. Data encrypted with the revoked keys is no longer accessible. |
Examples
vcli: admin> tenant alter-encryption-group-state --id 4 --revoke
vcli: admin> tenant alter-encryption-group-state --deactivate --id 3 Tenants using this encryption group: tenant1. Are you sure you want to deactivate tenant's encryption group? [y/N]