-createkey

Create a new key. The default state of the new key is Prelive.

-createkg

Create a new key group. The default cipher of the new key group is AES_256.

-deletekey

Delete a key. Only keys in Prelive and Terminated states can be deleted.

-deletekg

Delete a key group. Only empty key groups can be deleted.

-gethmkid

Return the current HMK ID.

-getkpkid

Returns the current KPK ID.

-ksstats

Returns the keystore statistics. The statistics consist of the number of key groups, the total number of keys, and the outstanding quiesce calls.

-listkeys

Get the details of keys.

-listkgs

Get the details of the key groups. If no option is specified, retrieve the details of all the key groups.

-modifyhmk

Modify the host master key (HMK). HMK is used to encrypt the keystore. To modify the HMK, provide an optional seed (passphrase) and an HMK ID which can remind the user of the specified passphrase. The passphrase and the HMK ID are both read interactively.

-modifykey

Modify key attributes.

-modifykg

Modify key group attributes.

-modifykpk

Modify the key protection key (KPK). KPK is used to encrypt KMS keys. KPK is per keystore. To modify the KPK, provide an optional seed (passphrase) and a KPK ID which can remind the user of the specified passphrase. The passphrase and the KPK ID are both read interactively.

-quiescedb

Sends a quiesce request to KMS. If the command succeeds, the current outstanding quiesce count is returned (as multiple backup jobs might quiesce the KMS DB to back it up)

-recoverkey

Restore could fail if a key used in encrypting the backup data is lost. Such Keys can be recovered (re-created) with the knowledge of the original Key's attributes (tag and passphrase).

-unquiescedb

Sends an unquiesce request to KMS. If the command succeeds, the current outstanding quiesce count is returned. A count of zero (0) means that the KMS database is completely unquiesced.

-activate

Sets the state of the specified key to active. The default state is prelive.

-activekey

Retrieves the details of a specific key group's active key.

-cipher

The type of cipher that the key group supports. All keys that belong to a key group support the same cipher type. Supported cipher types are BLOW, AES_128, AES_192, and AES_256 (default cipher).

-emptykgs

Retrieves the details of all the key groups with zero keys in it.

-keyname

key_name specifies the name of a key. This name should be unique within a key group. The key group name and key name uniquely identify a key in the keystore .

-kgname

key_group_name specifies the name of a key group. Within a keystore , a key group is uniquely identified by its name.

-name

Specifies the new name of the key group when used with -modifykg or the new name of the key when used with -modifykey. The new key group name must not conflict with other names in the keystore .

-noactive

Retrieves the details of all the key groups in which there are no active keys.

-nopphrase

Disables the utility function that prompts you for a pass phrase. Instead, the utility creates the key. The default condition is the use of the pass phrase to create a key with a seed. A lengthy seed and a strong seed results in a strong key.

-noverbose

Disables verbosity. The default condition is verbosity, which prints the details in readable format.

-state

new_state specifies the new state of the Key. Possible states are Prelive, Active, Inactive, Deprecated, and Terminated.

-tag

key_tag specifies a random unique identifier that is created for the key record that the utility creates. The listkey option can display this tag. If you need to recover (recreate) the key record, you need to use the original tag value, hence the - tag option for these recovery options.