Recovering KMS by regenerating the data encryption key
You can regenerate the complete KMS database by regenerating the data encryption keys. The goal is to create a brand new empty KMS database and then repopulate it with all your individual key records.
Note:
A randomly-generated key cannot be recovered if it is lost.
To recover KMS by regenerating the data encryption key
- Create an empty KMS database by running the following command
nbkms -createemptydb
You do not have to use the same host master key and key protection key. You can choose new keys.
- Run the nbkmsutil -recoverkey command and specify the key group, key name, and tag.
nbkmsutil -recoverkey -kgname ENCR_pool1 -keyname Q1_2008_key -tag d5a2a3df1a32eb61aff9e269ec777b5b9092839c6a75fa17bc2565f725aafe90
If you did not keep an electronic copy of the output of the nbkmsutil -listkey command when you created the key, you must enter all 64 characters manually.
- Enter the passphrase (and salt) at the prompt. It must be an exact match with the original passphrase you previously provided.
Salt (if applicable) must match the salt corresponding to the key that you want to recover.
Note:
If the tag you enter already exists in the KMS database, you cannot recreate the key.
- If the recovered key is the key that you want to use for backups, run the following command to make the key active:
nbkmsutil -modifykey -kgname ENCR_pool1 -keyname Q1_2008_key -state active
The -recoverkey option places the key record in the inactive state, and it is brought into the KMS database in the inactive state.
- If this is a key record that is to be deprecated, run the following command:
nbkmsutil -modifykey -kgname ENCR_pool1 -keyname Q1_2008_key -state deprecated