partition smkrollover

This command, with the -start option, moves the current primary SMK to the Rollover location, and generates a new Primary SMK.

If you just wanted to generate a fresh SMK, and no external SKS blobs are encrypted with the previous SMK, then you can issue the comand again with the -end option, and the task is finished.

If you are performing a rollover of an active SMK (as you might do, in compliance with your organization's key-rotation policy), then - immediately after partition smkrollover -start - you would insert and re-extract all SKS blobs that are encrypted by the old SMK. The HSM recognizes which SMK was used to encrypt a blob, and if it is the rollover SMK (or an SMK from a previous HSM generation, currently in the appropriate 'legacy' SMK location), it uses that SMK for the insertion. [Re-]extraction always uses the Primary SMK.

When all desired blobs have been re-extracted, the partition smkrollover -end command finishes the process.

Syntax

partition smkrollover [-start] [-end] [-force]

Argument	Shortcut	Description
-end	-e	End SMK rollover and delete the Rollover SMK.
-force	-f	Force the action without prompting for confirmation (useful when scripting commands).
-start	-s	Start SMK rollover, moving the pre-existing SMK to the Rollover space, and creating a new SMK in the Primary SMK space.

Example

lunacm:> partition smkrollover -start

        You are about to rollover the SMK.
        Are you sure you wish to continue?

        Type 'proceed' to continue, or 'quit' to quit now -> proceed

Command Result : No Error

Between issuing the -start and -end commands, insert and re-extract any SKS blobs that were encrypted/extracted with the old SMK, so that they are now encrypted with the new (Primary) SMK and stored externally.

lunacm:> partition smkrollover -end

        You are about to rollover the SMK.
        Are you sure you wish to continue?

        Type 'proceed' to continue, or 'quit' to quit now -> proceed

Command Result : No Error