When using a newly generated master encryption key in your key management system, update the FEPCluster custom resource fepChildCrVal.sysTde.tdek.targetKeyId to the ID of the new master encryption key. The operator will automatically re-enable TDE when this value is updated.

Also, if the credentials for connecting with the key management system are updated, update the corresponding values in the FEPCluster custom resource. The operator automatically performs a keystore open when the credentials are updated.

When re-enabling TDE or opening the keystore is completed, the following event will be notified.

# When re-enabling TDE
$ kubectl get event
LAST SEEN   TYPE    REASON                     OBJECT                     MESSAGE
164m        Normal  SuccessfulTdeSetMasterKey  fepconfig/<FEPClusterCR name> <namespace>, Successfully set TDE masterKey

# When re-enabling TDE fails
$ kubectl get event
LAST SEEN   TYPE    REASON                     OBJECT                     MESSAGE
164m        Warning  FailedTdeSetMasterKey      fepconfig/<FEPClusterCR name> <namespace>, Error/Failure set TDE masterKey

If the process fails, review the parameters defined in the FEPCluster custom resource and re-enter the correct values.

If only the contents of the Secret or ConfigMap that stores the credentials are updated and the custom resource is not modified, open the keystore using the FEPAction custom resource described in "5.12.2 Update Credentials".