hvrwalletconfig

Usage

hvrwalletconfig [-Rurl] List the current wallet configuration.
hvrwalletconfig [-Rurl] [-ojsonfile] [-E] [properties]... Print the specified wallet properties (property...), or all if none are specified.
hvrwalletconfig [-Rurl] [-p] [-ijsonfile] [-E] [property=[value]]... Set or unset the specific wallet properties supplied in the jsonfile and/or directly on the command line.
hvrwalletconfig [-Rurl] -C Continue re-encrypting the secrets.
hvrwalletconfig [-Rurl] -c [-p] [-ijsonfile] [-E] [property=[value]]... Create/configure a wallet with the wallet properties supplied in the jsonfile and/or directly on the command line.
hvrwalletconfig [-Rurl] -d [-f] Delete/disable the wallet.
hvrwalletconfig [-Rurl] -m [-p] [-r] [-ijsonfile] [-E] [property=[value]]... Migrate the wallet.
hvrwalletconfig [-Rurl] -r Rotate the encryption key.
hvrwalletconfig [-Rurl] -S Delete old encryption keys.
hvrwalletconfig [-Rurl] -T Delete old encryption keys.

Description

Command hvrwalletconfig allows you to create, delete, configure the encryption wallet and also its properties. This command can be used to enable/disable the hub wallet, set wallet password, auto open hub wallet, rotate the hub wallet encryption key, change wallet password, and delete hub wallet. If this command is executed without supplying any of the options, it will list current wallet configuration.

Argument properties specifies the properties that define the wallet configuration. For more information, see section Wallet Properties.

For more information about the wallet and encryption, see Hub System Encryption Wallet.

Options

This section describes the options available for command hvrwalletconfig.

Parameter	Description
`-c`	Configure an encryption wallet. When configuring a software wallet, you can supply option `-p` to set a user-defined password for the wallet. If a user-defined password is not supplied then HVR will set an auto-generated password for the wallet. When configuring a KMS wallet, you must supply option `-p` to specify the KMS secret access key.
`-C`	Continue re-encrypting secrets. This option is used if a previous Reencrypt_Secrets event failed.
`-d`	Disables the encryption wallet. This option sets the wallet Type to DISABLED.
`-Ex`	Override automatic encoding/decoding of string properties when reading a property from file using `property=@file_name` or when writing a property to file using `property>@file_name`. This option may be required only while setting the property whose argument is base64. When this option is not used, the `default` encoding is base64. Valid values of `x` are: none: no encoding/decoding will be applied. base64: encode a property in the base64 format.
`-f`	Force disable wallet or re-encrypt secrets. Force disabling a hub wallet that is in use may render the existing encrypted secrets unusable. This option may be used in combination with `-d` or `-C`. When force disabling a wallet that is in use, all encrypted passwords will be redacted automatically. To avoid location connectivity issues/errors, click Replace Redacted Properties in the location details page and update the redacted password(s). For location(s) configured with HVR Agent, all keys and certificates must be regenerated and updated in the repository properties. For more information, see Troubleshooting Hub Encryption Wallet.
`-G`	Purge cache-based wallet configuration (i.e., wallet properties that have been cached). If the hub system is wallet encrypted, `-G` will prevent decryption of the files in HVR_CONFIG directory. Use this option only as a last resort.
`-ijsonfile`	Read wallet properties from JSON file jsonfile.
`-m`	Migrate a wallet to different storage instead of modifying its configuration in place. Wallet migration moves the encryption key from one wallet configuration to another. The encryption key does not change, but its encrypted storage is first decrypted by the old wallet and then encrypted by a new wallet. For more information, see section Hub Wallet Migration in Hub System Encryption Wallet. In KMS wallet, this option is used to migrate a hub wallet from a previous KMS account/settings to new KMS account/settings or a user switches to a non-KMS wallet. This option is mandatory when migrating to another KMS wallet.
`-ojsonfile`	Write wallet properties to JSON file jsonfile. If no properties are specified on the command line, then all properties are fetched from the repository.
`-p`	Set a new password for the wallet. The following operations require providing a new password - configure a new wallet, migrate a wallet (to a different wallet type (Type) or to the same wallet type (Type) with a different account).
`-r`	Rotate (retire and regenerate) the encryption key. This option creates a new encryption key, encrypts it, and stores it in the wallet. The previous encryption key is moved to the history (encrypted with the new key) for the cases when it is needed to decrypt data encrypted with it. Then HVR decrypts the repository tables with the old key and re-encrypts them with the new key. During this key rotation process, both the old and new keys are available in the history. Historical keys are kept in the wallet configuration, each encrypted with the latest key. TX/Log files do not undergo key rotation. Instead, the old key is left in the history, protected by the latest key. This option can also be used together with option `-m`.
`-Rurl`	Remote hub server. Access the hub server running on a remote machine, via the REST interface. This option is required for remote CLI access. When using this option, command hvrlogin should be run first, for authentication.
`-Ssequence`	Delete historical keys older than the sequence number sequence. This option cannot be combined with other options.
`-Ttstamp`	Delete historical keys rotated before timestamp tstamp. Valid values for tstamp can be an absolute timestamp or a relative timestamp using seconds. This option cannot be combined with other options.
`-Vaccessmeth`	Handle classified data. redact: Redact classified data. storage `default`: Save classified data as they are stored in the hub system. @outputfile: Apply transport encryption, save key to file outputfile. @print: Apply transport encryption using the transport encryption key and display the key in command terminal. @inputfile: Read transport encryption key stored in a inputfile. This can also be a path (relative or absolute) to this file. @prompt: Prompt a user to enter the transport key via keyboard.

Examples

This section provides examples of using the hvrwalletconfig command.

Example 1. Create/configure wallet

The following command creates software wallet with the specified Wallet Properties.
```
hvrwalletconfig -c -p Type=SOFTWARE Auto_Open=true
```

The following command creates KMS wallet with the connection parameters required for the KMS Access Key Id authentication method.

hvrwalletconfig -c -p Type=KMS Auto_Open=true KMS_Region=eu-west-1 KMS_Customer_Master_Key_Id=1234abcd-12ab-1234590ab KMS_Access_Key_Id=AKIAJDRSJY123QWERTY

The following command creates KMS wallet with the connection parameters required for the KMS IAM Role authentication method.

hvrwalletconfig -c Type=KMS KMS_Region=eu-west-1 KMS_Customer_Master_Key_Id=1234abcd-12ab-1234590ab KMS_IAM_Role=AKIAJDRSJY123QWERTY

Example 2. Delete/disable wallet

The following command deletes the existing wallet.

hvrwalletconfig -d

Example 3. Get wallet properties

The following command displays all properties of the configured wallet.
```
hvrwalletconfig
```
The following command displays the value of wallet property Auto_Open.
```
hvrwalletconfig Auto_Open
```

Example 4. Change wallet password

The following command changes the existing wallet's password. Enter the new password when prompted.

hvrwalletconfig -p

Example 5. Rotate wallet encryption key

The following command rotates the wallet encryption key.

hvrwalletconfig -r

Example 6. Migrate wallet

The following command migrates the existing wallet to the software wallet.
```
hvrwalletconfig -m -p Type=SOFTWARE Auto_Open=true
```

The following command migrates the existing wallet to the KMS wallet.

KMS Access Key Id authentication method

hvrwalletconfig -m -p Type=KMS Auto_Open=true KMS_Region=eu-west-1 KMS_Customer_Master_Key_Id=1234abcd-12ab-1234590ab KMS_Access_Key_Id=AKIAJDRSJY123QWERTY

KMS IAM Role authentication method

hvrwalletconfig -m Type=KMS KMS_Region=eu-west-1 KMS_Customer_Master_Key_Id=1234abcd-12ab-1234590ab KMS_IAM_Role=AKIAJDRSJY123QWERTY

Example 7. Delete historical keys

The following command deletes the keys rotated older than the last 86400 seconds (or 24 hours).
```
hvrwalletconfig -T now-86400
```
The following command deletes the keys rotated older than the specified time.
```
hvrwalletconfig -T 2019-11-26T10:54:59Z
```