A native key management service is an internal key management service provided by the cluster. It functions the same as an external key management service.
Procedure
Run the following command on any node in the cluster to view information about native key management services:
zbs-meta kms show_nativeOutput example
------------------------ -----------------------------------------
Provider Id 1487fdf7-f730-4d25-9b85-510322067010
Provider Name NativeKMS
Last key rotate time 2026-01-06 14:26:57
Key rotate period 31536000
Last all key backup time -
Rotating master key No
Status KMS_STATUS_RUNNING
Crypt Stats AES256_CTR Encrypt Res Num: 0
------------------------ -----------------------------------------Output note
| Parameter | Description |
|---|---|
Provider Id | The ID of the key management service. |
Provider Name | The name of the key management service. |
Last key rotate time | The time when the master key was last rotated. |
Key rotate period | The interval for automatic master key rotation, in seconds. |
Last all key backup time | The time when all data keys were last backed up. |
Rotating master key | Whether the cluster is rotating keys. |
Status | The status of the key management service. |
Crypt Stats | The encryption algorithms supported by the key management service and the number of resources in use. |
Procedure
Run the following command on any node in the cluster to create a key management service. Each ACOS cluster supports only one native key management service:
zbs-meta kms create_native --crypt_algos <CRYPT_ALGOS> [--key_rotate_period_seconds <KEY_ROTATE_PERIOD_SECONDS>]| Parameter | Description |
|---|---|
--crypt_algos <CRYPT_ALGOS> | The encryption algorithm enabled by the native key management service, which can be AES256_CTR. |
--key_rotate_period_seconds <KEY_ROTATE_PERIOD_SECONDS> | The interval for automatic key rotation in the ACOS cluster, in seconds. Valid range: [86400, 31536000]. |
Output note
The output is the same as that of show_native.
Procedure
Run the following command on any node in the cluster to update the native key management service configuration:
zbs-meta kms update_native [--crypt_algos <CRYPT_ALGOS>] [--key_rotate_period_seconds <KEY_ROTATE_PERIOD_SECONDS>]| Parameter | Description |
|---|---|
--crypt_algos <CRYPT_ALGOS> | The encryption algorithm enabled by the native key management service, which can be AES256_CTR. |
--key_rotate_period_seconds <KEY_ROTATE_PERIOD_SECONDS> | The interval for automatic key rotation in the ACOS cluster, in seconds. Valid range: [86400, 31536000]. |
Output note
If the command succeeds, no output is displayed.
Procedure
Run the following command on any node in the cluster to delete the native key management service. Deletion is allowed only if there are no encrypted resources (virtual volumes, volumes of VM templates, snapshots, iSCSI targets, LUNs, etc.):
zbs-meta kms delete_nativeOutput note
If the command succeeds, no output is displayed.
Use zbs-meta native_key -h to manage and view the current KMS key service status and key status.
Note
In most cases, only the
showaction is required. Other operations are special maintenance commands and require prior consultation with the development engineers.
| Parameter | Description |
|---|---|
--mgt_id <MGT_ID> | Required for actions other than show. Set this parameter to the KMS instance ID. |
--history | Displays historical KMS keys that exist in the cluster. |
Output example
The following displays an example output of the show operation:
$ zbs-meta native_key show
----------------- ----------------------------------------
KMS Id e99e5601-0780-4c68-98a7-3b563d01c516
Created time 2025-12-30 19:29:15
Current shamir id nsk_6f751f04-7b8f-4409-8eaa-b02e17105988
Rotate period 31536000
Last rotate time 2026-01-05 19:30:50
----------------- ----------------------------------------
[State: NK_STATE_RUNNING]
[Current shamir key ⬇ ]
------------- ------------------------------------------------------------------------------
Key Id nsk_6f751f04-7b8f-4409-8eaa-b02e17105988
Total mkey 10
Garbage mkey 8
Inuse mkey 2
Create time 2026-01-05 19:30:50
Zones summary zone_id: default
k/n: 2/4
dist_time: 2026-01-05 19:30:50, dist_no: 1
protection: LEVEL4: All shares have acked
share_cnt: 4, shares:
- [share_id: 1, cid: 1, ip: 10.234.5.14, last_ack_time: 2026-01-06 17:19:29]
- [share_id: 2, cid: 3, ip: 10.234.5.12, last_ack_time: 2026-01-06 17:19:29]
- [share_id: 3, cid: 5, ip: 10.234.5.13, last_ack_time: 2026-01-06 17:19:29]
- [share_id: 4, cid: 7, ip: 10.234.5.11, last_ack_time: 2026-01-06 17:19:29]
------------- ------------------------------------------------------------------------------Output note
| KMS instance parameter | Description |
|---|---|
KMS Id | The ID of the native KMS instance. |
Created time | The creation time of the instance. |
Current shamir id | The ID of the KMS key currently in use. |
Rotate period | The interval for automatic KMS key rotation, in seconds. |
Last rotate time | The time when the KMS key was last rotated. |
State | The instance running status. |
| KMS key parameter | Description |
|---|---|
Key Id | The KMS key ID. |
Total mkey | The total number of master keys in the instance. |
Garbage mkey | The number of expired master keys in the instance. |
Inuse mkey | The number of master keys currently in use in the instance. |
Create time | The creation time of the KMS key. |
Zones summary | The shard placement plan of the KMS key. Pay attention to whether protection is at level 2 or above, and whether the last_ack_time of any share is outdated. |