ONTAP 9.14.1 commands

security key-manager external azure rekey-external

Rekey an external key of the Vserver

Availability: This command is available to cluster and Vserver administrators at the advanced privilege level.


This command results in the key hierarchy being protected by the user designated AKV key encryption key (KEK). Prior to running this command, the user should have already made the necessary change on the Azure portal to use a new KEK for their key vault. The key-id used in this command is the key ID associated with the user’s new AKV KEK. Upon successful completion of this command, the internal keys for the given Vserver will be protected by the new AKV KEK.


-vserver <Vserver Name> - Vserver

This parameter specifies the Vserver for which ONTAP should rekey the AKV KEK.

-key-id {scheme://(hostname|IPv4 Address|'['IPv6 Address']')…​} - Key Identifier of a new AKV Key Encryption Key

This parameter specifies the key id of the new AKV KEK that should be used by ONTAP for the provided Vserver.


The following command rekeys AKV KEK for data Vserver v1 using a new key, key2 with version 12345678123412341234123456789012.

cluster-1::> security key-manager external azure rekey-external -vserver v1 -key-id  https://kmip-akv-keyvault.vault.azure.net/keys/key2/12345678123412341234123456789012
Top of Page