Breadcrumbs

Verify Key Rotation Success

  1. Check the Utimaco ESKM KMIP logs for successful ENCRYPT and DECRYPT requests associated with the new key's UUID (9665c782-d8a6...). This confirms the kube-apiserver is using the new key for both new and re-encrypted secrets.

image-20250813-051615.png

ESKM KMIP Logs

  1. Use etcdctl to get a secret's value. The output shows that the secret is now encrypted with the new UUID (9665c782-d8a6-47b7-a273-2377a335c46d). The presence of this UUID confirms a successful key rotation.

image-20250813-051707.png


Verify Key Rotation Success