Arcfra logoDocs
API Doc
Search Docs...
⌘ K
OverviewDeploymentManagementOperationReferenceGlossary

Managing external key management services

An external key management service consists of one or more key management servers sharing data with each other. Any client registered on a node of the key management service can access any node in the service.

Creating an external key management service

Procedure

Run the following command on any node in the cluster to create an external key management service:

zbs-meta kms create_kmip --servers SERVERS [--vendor <VENDOR>] [--key_rotate_period_seconds <KEY_ROTATE_PERIOD_SECONDS>]
                        --certificate <CERTIFICATE> --private_key <PRIVATE_KEY> [--username <USERNAME>] [--password <PASSWORD>]
                        [--crypt_algos <CRYPT_ALGOS>]
                        <provider_name>
ParameterDescription
--servers <SERVERS>The information about the key management servers, formatted as host:port. Multiple servers can be specified, separated by commas (,).
--vendor <VENDOR>The vendor of the key management service.
--key_rotate_period_seconds <KEY_ROTATE_PERIOD_SECONDS>The interval for automatic key rotation in the ACOS cluster, in seconds. Valid range: [86400, 31536000].
--certificate <CERTIFICATE>The path to the certificate required for authentication when accessing the key management service.
--private_key <PRIVATE_KEY>The path to the private key required for authentication when accessing the key management service.
--username <USERNAME>The username required for authentication when accessing the key management service.
--password <PASSWORD>The password required for authentication when accessing the key management service.
--crypt_algos <CRYPT_ALGOS>The encryption algorithm enabled by the key management service, which can be AES256_CTR.
<provider_name>The name of the key management service.

Output example

Provider Id:  1b8872b5-ffc4-4811-8671-b814efdf9c54
Provider Name:  kmip-kms
Vendor:  test-vendor
Auth Id:  ka-1b8872-01
Username:  test-username
Is Rotating Key:  False
Key Rotation Seconds:  31536000
Last Key Rotation Time:  2026-01-06 13:46:04.0
Last Key Backup Time:  2026-01-01 11:04:12.0
Crypt Stats:
  CipherFamily: AES256_CTR, Encrypt Res Num:  60
Status:  KMS_STATUS_RUNNING

ID            Host              Port  Status
------------  --------------  ------  ------------------------
ks-1b8872-01  192.168.2.2    5696  KMIP_SERVER_CONNECTED
ks-1b8872-02  172.20.1.1     5696  KMIP_SERVER_DISCONNECTED

Output note

ParameterDescription
Provider IdThe ID of the key management service.
Provider NameThe name of the key management service.
VendorThe vendor of the key management service.
Auth IdThe authentication information ID of the key management service.
UsernameThe username in the authentication information about the key management service.
Is Rotating KeyWhether the cluster is rotating keys.
Key Rotation SecondsThe interval for automatic key rotation in the cluster.
Last Key Rotation TimeThe last key rotation time.
Last Key Backup TimeThe last key backup time.
CipherFamilyThe encryption algorithm enabled by the key management service.
Encrypt Res NumThe number of encryption resources associated with this encryption algorithm in the cluster.
StatusThe status of the key management service.
IDThe ID of the key management server.
HostThe IP address or domain name of the key management server.
PortThe port of the key management service.
StatusThe status of the key management server.

Output note

If the command succeeds, no output is displayed.

Updating the external key management service configuration

Procedure

Run the following command on any node in the cluster to update the external key management service configuration:

zbs-meta kms refresh_kmip [--provider_name <PROVIDER_NAME>] --servers <SERVERS> [--vendor <VENDOR>] [--key_rotate_period_seconds <KEY_ROTATE_PERIOD_SECONDS>] --certificate <CERTIFICATE> --private_key <PRIVATE_KEY> [--username <USERNAME>] [--password <PASSWORD>] [--crypt_algos <CRYPT_ALGOS>] <provider_id>
ParameterDescription
--provider_name <PROVIDER_NAME>The name of the key management service.
--servers <SERVERS>The information about the key management servers, formatted as host:port. Multiple servers can be specified, separated by commas (,).
--vendor <VENDOR>The vendor of the key management service.
--key_rotate_period_seconds <KEY_ROTATE_PERIOD_SECONDS>The interval for automatic key rotation in the ACOS cluster, in seconds. Valid range: [86400, 31536000].
--certificate <CERTIFICATE>The path to the certificate required for authentication when accessing the key management service.
--private_key <PRIVATE_KEY>The path to the private key required for authentication when accessing the key management service.
--username <USERNAME>The username in the authentication information about the key management service.
--password <PASSWORD>The password in the authentication information about the key management service.
--crypt_algos <CRYPT_ALGOS>The encryption algorithm enabled by the key management service, which can be AES256_CTR.
<provider_id>The ID of the key management service.

Output example

Provider Id:  1b8872b5-ffc4-4811-8671-b814efdf9c54
Provider Name:  kmip-kms
Vendor:  test-vendor
Auth Id:  ka-1b8872-01
Username:  test-username
Is Rotating Key:  False
Key Rotation Seconds:  31536000
Last Key Rotation Time:  2026-01-06 13:46:04.0
Crypt Stats:
  CipherFamily: AES256_CTR, Encrypt Res Num:  60
Status:  KMS_STATUS_RUNNING

ID            Host              Port  Status
------------  --------------  ------  ------------------------
ks-1b8872-01  192.168.2.2    5696  KMIP_SERVER_CONNECTED
ks-1b8872-02  172.20.1.1     5696  KMIP_SERVER_DISCONNECTED

Output note

ParameterDescription
Provider IdThe ID of the key management service.
Provider NameThe name of the key management service.
VendorThe vendor of the key management service.
Auth IdThe authentication information ID of the key management service.
UsernameThe username in the authentication information about the key management service.
Is Rotating KeyWhether the cluster is rotating keys.
Key Rotation SecondsThe interval for automatic key rotation in the cluster.
Last Key Rotation TimeThe last key rotation time.
Last Key Backup TimeThe last key backup time.
CipherFamilyThe encryption algorithm enabled by the key management service.
Encrypt Res NumThe number of encryption resources associated with this encryption algorithm in the cluster.
StatusThe status of the key management service.
IDThe ID of the key management server.
HostThe IP address or domain name of the key management server.
PortThe port of the key management service.
StatusThe status of the key management server.

Updating the external key management service information

Only the basic and authentication information about an external key management service can be updated.

Updating the external key management service basic information

Procedure

Run the following command on any node in the cluster to update the basic information about the external key management service:

zbs-meta kms update_kmip_attr [--name <NAME>] [--vendor <VENDOR>] [--key_rotate_period_seconds <KEY_ROTATE_PERIOD_SECONDS>] [--crypt_algos CRYPT_ALGOS] <provider_id>
ParameterDescription
--name <NAME>The name of the key management service.
--vendor <VENDOR>The vendor of the key management service.
--key_rotate_period_seconds <KEY_ROTATE_PERIOD_SECONDS>The interval for automatic key rotation in the cluster, in seconds. Valid range: [86400, 31536000].
--crypt_algos <CRYPT_ALGOS>The encryption algorithm enabled by the key management service, which can be AES256_CTR.
<provider_id>The ID of the key management service.

Output note

If the command succeeds, no output is displayed.

Updating the external key management service authentication information

Procedure

Run the following command on any node in the cluster to update the authentication information about the external key management service:

zbs-meta kms update_kmip_auth [--action {add|set|delete}] [--force] [--auth_id AUTH_ID] [--certificate CERTIFICATE] [--private_key PRIVATE_KEY] [--username USERNAME] [--password PASSWORD] <provider_id>
ParameterDescription
`--action {add\set\
--forceForcibly updates the key management service authentication information.
--auth_id AUTH_IDThe ID in the authentication information about the key management service.
--certificate CERTIFICATEThe path to the certificate required for authentication when accessing the key management service.
--private_key PRIVATE_KEYThe path to the private key required for authentication when accessing the key management service.
--username USERNAMEThe username in the authentication information about the key management service.
--password PASSWORDThe password in the authentication information about the key management service.

Output note

If the command succeeds, no output is displayed.

Deleting an external key management service

Procedure

Run the following command on any node in the cluster to delete the external key management service. Deletion is allowed only if there are no encrypted resources (virtual volumes, volumes of VM templates, snapshots, iSCSI targets, LUNs, etc.):

zbs-meta kms delete_kmip <provider_id>
ParameterDescription
provider_idThe ID of the key management service.

Output note

If the command succeeds, no output is displayed.

Managing servers for an external key management service

Only the key management servers of an external key management service can be managed.

Viewing servers for an external key management service

Procedure

Run the following command on any node in the cluster to view the key management servers:

zbs-meta kms list_kmip_server [--show_task] <provider_id>
ParameterDescription
--show_taskDisplays the heartbeat tasks of the key management servers.
provider_idThe ID of the key management service to which a key management server belongs.

Output example

Server:      192.168.20.227:5696
Heart Task:  2026-01-06 13:48:04 c0fe30d662484a608190da0cd6c39b6bcb2ba625366b45438abd9809d32e7946 EOK

ID            Host              Port  Status
------------  --------------  ------  ---------------------
ks-1b8872-01  192.168.20.227    5696  KMIP_SERVER_CONNECTED

Output note

ParameterDescription
ServerThe key management server information.
Heart TaskThe heartbeat task information.
IDThe ID of the key management server.
HostThe IP address or domain name of the key management server.
PortThe port of the key management service.
StatusThe status of the key management server.

Updating a key management server of an external key management service

Procedure

Run the following command on any node in the cluster to update the key management server information:

zbs-meta kms update_kmip_server [--action {add|set|delete}] [--force] [--server_id <SERVER_ID>] [--name <NAME>] [--host <HOST>] [--port <PORT>] <provider_id>
ParameterDescription
`--action {add\set\
--forceForcibly updates the key management server.
--server_id <SERVER_ID>The ID of the key management server to update.
--name <NAME>The name of the key management server.
--host <HOST>The IP address or domain name of the key management server.
--port <PORT>The port of the key management server.
<provider_id>The ID of the key management service to which the key management server belongs.

Output note

If the command succeeds, no output is displayed.

In this article