Encryption management methods
The management API includes storage component encryption methods.
Get encryption state
You can get the state of encryption for the HCP for cloud scale system.
POST https://host_ip:9099/mapi/v1/s3_encryption/get
Not applicable.
The response body structure is:
{ MAPIS3EncryptionSetting { "value": "{true|false}" } }
Parameter |
Type |
Description |
MAPIS3EncryptionSetting | Boolean | true if encryption is on, false otherwise. |
Status code |
HTTP name |
Description |
200 | OK | The request was executed successfully. |
401 | Unauthorized | Access was denied because credentials are not valid. |
405 | Method Not Allowed | The specified HTTP method is not allowed for a storage component. Resend using POST. |
Request example:
POST https://10.10.24.195:9099/mapi/v1/s3_encryption/get
JSON response:
{ MAPIS3EncryptionSetting { "value": "true" } }
Set encryption state
You can start encryption globally for the HCP for cloud scale system. Starting encryption initializes, configures, and unseals the key management server and returns an initial root token and a set of unseal keys. Once encryption is started, it can't be removed. The best practice is to encrypt and securely store the initial root token and unseal keys separately.
POST https://host_ip:9099/mapi/v1/s3_encryption/set
Not applicable.
The response body structure is:
{ "value": {true|false}, "rootToken":"root_token, "unsealKeys":["unseal_key_1","unseal_key_2","unseal_key_3","unseal_key_4","unseal_key_5"] }
Parameter |
Type |
Description |
value | Boolean | true if encryption is on, false otherwise. |
rootToken | Hex | The initial root token, used to authenticate login to the key management server. |
unsealKeys | Hex | A set of unseal keys. A quorum of unseal keys is required to restart the key management server. |
Status code |
HTTP name |
Description |
200 | OK | The request was executed successfully. |
401 | Unauthorized | Access was denied because credentials are not valid. |
405 | Method Not Allowed | The specified HTTP method is not allowed for a storage component. Resend using POST. |
503 | Service Unavailable | The key management system has not been set up. |
Request example:
POST https://10.10.24.195:9099/mapi/v1/s3_encryption/set
JSON response:
{ "value":true, "rootToken":"s.FBZngLG9RcyjBzddCxTwoMkk", "unsealKeys":[ "f7a0652cbe07d573a7eeab127ff102454c33adc9402e49622ffa5b5f43cec0794e", "4d7e620a694cb607dd1e503027f82880f376edfb1024548d0121572a3dc989c685", "6c6081054e26ec55824eb97481acd1f31d660d99e4ba158ca4248e39a8d4de1e16", "5dd42c8c60d60469d675dbaad15ff2a78d262cb42e2f9a798aa0b09f368b8caff4", "fdc2f29b4359a550916b43071501dab257b73f911960c7fc793f1a279f71091482"] }
Unseal
You can unseal all the instances of the key management server for the HCP for cloud scale system.
POST https://host_ip:9099/mapi/v1/s3_encryption/unseal
The request body is:
{ "unsealKey1": "string", "unsealKey2": "string", "unsealKey3": "string" }
Parameter | Required | Type | Description |
unsealKey1, unsealKey2, unsealKey3 | Yes | String | An unseal key. You must provide three unseal keys in the request. |
Not applicable.
Status code |
HTTP name |
Description |
200 | OK | The request was executed successfully. |
400 | Bad Request | The request is missing a valid unseal key. |
401 | Unauthorized | Access was denied because credentials are not valid. |
405 | Method Not Allowed | The specified HTTP method is not allowed for a storage component. Resend using POST. |
Request example:
POST https://10.10.24.195:9099/mapi/v1/s3_encryption/unseal
JSON request:
{ "unsealKey1": "f7a0652cbe07d573a7eeab127ff102454c33adc9402e49622ffa5b5f43cec0794e", "unsealKey2": "4d7e620a694cb607dd1e503027f82880f376edfb1024548d0121572a3dc989c685", "unsealKey3": "6c6081054e26ec55824eb97481acd1f31d660d99e4ba158ca4248e39a8d4de1e16" }