IBM Cloud Docs
Recovering a master key from a recovery crypto unit

Recovering a master key from a recovery crypto unit

If your service instance includes recovery crypto units, the current master key value in a recovery crypto unit can be used as a backup value for your operational crypto units. If you initialize service instances by using recovery crypto units (with the ibmcloud tke auto-init command) or rotate master keys using recovery crypto units (with the ibmcloud tke auto-mk-rotate command), this is the only backup value of the master key that exists for your service instance.

The value in the current master key register of a recovery crypto unit can be securely transferred to other current master key registers in service instances that are assigned to the current resource group by using the ibmcloud tke auto-mk-recover command.

You might need to use the command to recover the master key value in the following situations:

  • You inadvertently zeroize a crypto unit and need to reinitialize it.
  • You inadvertently clear the current master key register in a crypto unit.
  • Your hardware fails and a crypto unit needs to be replaced.
  • You need different service instances in the same resource group to use the same master key value.

Currently, service instances in the eu-es region don't support recovery crypto units, and cannot use this command. For more information about supported regions, see Regions and locations.

Before you begin

To use the command, you need to make sure that the recovery crypto unit and all target crypto units meet the following requirements:

  • They are not in imprint mode.
  • They have the same signature threshold value.
  • A common set of administrators is added to the recovery crypto unit and all target crypto units, which can meet the signature threshold value.

To check that initial conditions are met, select the source and target crypto units by using the ibmcloud tke cryptounit-add command, and then run the ibmcloud tke cryptounit-compare command.

Recovering master keys

Run the following command to recover a master key value from a recovery crypto unit:

ibmcloud tke auto-mk-recover

With this command, you can transfer the value in the current master key register of a recovery crypto unit to the current master key registers of any other crypto units in the same resource group. These can be operational crypto units or other recovery crypto units. With this command, you can use the same master key value in multiple service instances if they are in the same resource group.

To learn more about resource groups, see Managing resource groups.

What's next

For a complete TKE CLI plug-in command reference, see IBM Cloud TKE CLI.