Restoring the data encryption key (DEK)¶
Because your DEK contains key material shared among your VSatellites, the ability to restore it from a backup is critical.
You should only restore your DEK in cases where none of your VSatellites are operable. If you have at least one remaining and functioning VSatellite, you don't need to restore the DEK because it's distributed to other
So if you have no remaining and functioning VSatellites, use the import command to restore the DEK. However, you can only restore DEKs for which you've created a backup.
To restore a DEK
- Deploy a new VSatellite.
- From a command prompt, connect to the server where your new VSatellite is running.
- Run the following command:
./vsatctl import --api-key <api-key> --file path/to/dek/file.pem --passphrase <secret_passphrase>
After running the command, the DEK is redistributed to the functioning VSatellite and your DEK is restored.