--- title: "CMK Rotation - Fortanix DSM Version Below 5.6" slug: "cmk-rotation-fortanix-dsm-version-below-5-6" updated: 2026-06-01T09:04:42Z published: 2026-04-17T17:20:34Z --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # CMK Rotation - Fortanix DSM Version Below 5.6 ## 1.0 Introduction This article describes the process of rotating the Cluster Master Key (CMK) in Fortanix-Data-Security-Manager (DSM). ## 2.0 Cluster Master Key Rotation Fortanix DSM uses a CMK to derive individual keys for functions such as database encryption. The following section describes the steps to rotate the CMK using shell and kubectl on one of the Fortanix DSM nodes: ### 2.1 Propose a New Master Key 1. Get the pod IPs for the `sdkms` pods using the following command: ```bash sudo -E kubectl get pods -lapp=sdkms -owide ``` 2. Propose a new CMK by making a REST API call to **any one** of the `sdkms` pods: ```bash curl -kv https://:4444/cluster/v1/key/propose -X POST ``` This should return `204 No Content`. ### 2.2 Distribute the Proposed Cluster Master Key Distribute the new CMK to the **rest of the**`sdkms` pods by making a REST API call to **each of the other**`sdkms` **pods**. ```bash curl -kv https://:4444/cluster/v1/key/fetch -X POST -d '{"target":":4444"}' ``` Where, - `pod-IP`: Refers to the IP of the pod which received the `propose` API call. - `other-pod-IP`: Refers to the IP of the rest of the other `sdkms` pods. This should return `204 No Content`. ### 2.3 Verify the New Cluster Master Key For each `sdkms` pod, get the cluster master key status: ```bash curl -k https://:4444/cluster/v1/key ``` Each pod should return a `fetched_proposal_hash` JSON field and the field's value should be the same on each pod. ### 2.4 Restart the `sdkms` Pods - Restart all the `sdkms`pods so that the proposed key is loaded from the database. This should be done using the CLI rolling restart mechanism described below. After the restart, the nodes are still using the old cluster master key. ```bash cd /opt/fortanix/sdkms/bin/ ./dsm_backend_rolling_restart.sh ``` - Get the new pod IPs for the `sdkms` pods after the restart using the following command: ```bash sudo -E kubectl get pods -lapp=sdkms -owide ``` ### 2.5 Activate the Cluster Master Key Make a REST API call to **any one** `sdkms` pod: ```plaintext curl -kv https://:4444/cluster/v1/key/activate -X POST ``` This should return `204 No Content`. ### 2.6 Restart the `sdkms` Pods Again - Restart all the `sdkms`pods using the following command so that the new cluster master key is used. ```bash cd /opt/fortanix/sdkms/bin/ ./dsm_backend_rolling_restart.sh ``` At this point, all new data protected by the cluster will use a key hierarchy rooted at the new CMK after each `sdkms` pod is rebooted. - Again, get the new pod IPs for the `sdkms` pods after the restart using the following command: ```bash sudo -E kubectl get pods -lapp=sdkms -owide ``` ### 2.7 Verify the New Key Check for the new cluster key version using the following command: ```bash curl -k https://:4444/cluster/v1/key ``` It should be `2` if initially, it was `1`. > [!NOTE] > NOTE > > After CMK rotation the DR and cold standby nodes must rejoin the cluster. Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface. Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface. ## Related - [Splunk Integration with Sensu Server](/fortanix-dsm-splunk-integration-with-sensu-server.md) - [App Authentication with an API Key](/dsm-example-code-app-authentication-with-an-api-key.md) - [Data Center Labeling](/fortanix-data-security-manager-data-center-labeling.md) - [FAQs - Install/Upgrade/Administration](/fortanix-faqs-install-upgrade-administration.md) - [PKCS#11 Library](/fortanix-dsm-clients-pkcs11-library.md)