Creating KeyIDs with the CLI

You can also create KeyIDs in the KeyControl webGUI as described in Creating KeyIDs in the webGUI.

1. Log into any one of the VMs in the Cloud VM Set as an Administrator. The KeyID will be shared by all VMs in the set, regardless of which VM it was created on.

2. Create the key by entering the command hcl keyid -c keyid_to_create [-s] [-a cipher] [-d description] [-e days_to_expire] [-o "NO USE"|"SHRED"], where: 

   • -c specifies the name of the KeyID you want to create. You can use special characters and spaces in the KeyID name.
   • -s tells KeyControl to make sure the cipher specified with the –a option is compatible with the version of OpenSSL currently installed on the VM.

   • -a is the encryption cipher that DataControl should use for the KeyID.

     • On Windows, we support AES-256 and AES-128 only.

     • On Linux, to view a list of available ciphers use the hcl ciphers command and look at the "List of openssl supported ciphers for (KeyIDs)" section. For example:

       # hcl ciphers
       List of available ciphers:
       	AES-XTS-512 (default)
       	AES-XTS-256
       	AES-256
       
       List of openssl supported ciphers(for KeyIDs):
       	AES-XTS-256
       	AES-256
       	AES-128

   • -d is a description for the KeyID. This description is displayed in the KeyControl webGUI and in the hcl keyid -l command, as shown below.
   • -e allows you to specify the number of days the key should be active before it expires. If you omit this option, the key never expires. What happens when a key expires is controlled by the -o option.

   • -o controls what happens when the key expiry date is reached. You can specify:

     • "NO USE" — The key is deactivated but retained. It can then be reactivated by setting a future date in the Expiry Date field in the KeyControl webGUI. This is the default.
     • "SHRED" — The key is destroyed and cannot be retrieved. You should only use this option if you are absolutely certain that you will never need to access the selected disk again.

     For example:

     # hcl keyid -c hq_key -a AES-256 -d "Secure exchange of HQ data"
     # hcl keyid -c sf-datacenter -a AES-128 -d "Key for the San Francisco datacenter"

3. To verify the KeyIDs you have created, enter the command hcl keyid -l. For example:

   # hcl keyid -l
   Keyid          Algorithm    Description
   -----          ---------    -----------
   hq_key         AES-256      Secure exchange of HQ data
   sf_datacenter  AES-128      Key for the San Francisco datacenter

For details about using the KeyIDs to encrypt and decrypt data, see Using KeyIDs for Encryption and Decryption.