Data-at-Rest Pool Key Tool (DcsPoolKeyCli)

The Data-at-Rest Pool Key tool (DcsPoolKeyCli) allows you to export, import, and delete keys, as well as list all available pool encryption keys used for the Data-at-Rest Encryption feature.

For one pool encryption key, there is a corresponding RSA key which is used to encrypt/decrypt the pool. The pool encryption key is stored in the registry under SOFTWARE\DataCore\SANsymphony\PoolKeys, encrypted, and the key used for decrypting it is stored in the Microsoft Software Key Storage Provider.

The tool supports the following commands:

Command Procedure
List All Available Key Pairs

Use the -l command.

PS C:\> .\DcsPoolKeyCli.exe -l

Export

Use the -e command, and pass the pool ID. The tool will determine if there is a persisted pool encryption key in the registry and also retrieve the RSA key from the Microsoft Software Key Storage Provider. Then it will export the plain (decrypted) key to a passed file or to a default one if not provided.

PS C:\> .\DcsPoolKeyCli.exe -e -p:"pool_id"(required) -f:"filename.bin"(optional)

Include the curly brackets for the pool_id parameter. For example:

PS C:\> \DcsPoolKeyCli.exe -e -p: "{12345678- 1234 -1234 -1234 -123456789012}" -f:"key.bin"

Import

Use the -i command, and pass the pool ID and the full path of the file containing the plain (decrypted) pool encryption key that you want to import. It will be persisted in the registry and a corresponding RSA key will be created and stored.

PS C:\> .\DcsPoolKeyCli.exe -i -p:"pool_id"(required) -f:"fullpath.bin"(required)

Delete

Use the -d command, and pass the pool ID. If if there is an existing pool encryption key, it will be deleted, as well as its corresponding RSA key.

PS C:\> .\DcsPoolKeyCli.exe -d -p:"pool_id"(required)

Understand the risk of using this command before using it as it will permanently delete the key. Back up (export) the key before running this command.

 

When running the DcsPoolKeyCli.exe, always use the PowerShell console or Windows command prompt as an administrator.

Retrieving the Pool ID

To retrieve the pool ID:

  1. Open the DataCore Cmdlets.
  2. Run "Connect-DcsServer"
  3. Run "Get-DcsPool -Pool <PoolName>"
  4. The pool ID will be the value after the colon, enclosed in curly brackets. For example, {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}